On Fri, Jan 20, 2006 at 12:29:08PM -0800, Joe Emenaker wrote: > Juha-Matti Tapio wrote: > >SPF works only as long as spammers actually start to use it massively > >themselves (and I think I have read somewhere that many have already > >started > >to use it). If most servers start checking SPF, eventually all spammers > >will > >start to use valid SPF-configured envelope addresses. After that SPF does > >not help at all... > .. except for the fact that it *dramatically* increases the > effectiveness of your RBL's. At present, if a spammer's domain gets > blacklisted, they'll just spoof someone else's. SPF will prevent that. Actually I am not sure about the effectiveness either. I grepped a bit around my personal mail server's spamassassin-rejected mails and here are my figures: Permanent rejects: 5069 (12+ points) - SPF ok: 68 - SPF failed: 38 Temporary rejects: 2105 (7+ points) - SPF ok: 58 - SPF failed: 5 Though my mail load is propably not at all demographic and these figures should be taken with a grain of salt. But at least in my example more spam passes SPF-test than fails it and failures start to correlate with spamminess only when it is otherwise obvious that the message is spam. > In essence, SPF would give the spammer "no place to run" when they get > found out. I'm honestly curious to see what they do to counter it. My > only guess is that they'll have to register a bunch of "throw-away" > domains with names like "slk2l2jhldwfhsad9123jn.com", which they use to > send out spam for a day and then abandon it. In a couple minutes I can think of at least the following ways to go around that: a) Use any domain that either does not have SPF records or allows any sources. For example I would be really surprised to ever see actually effective SPF-records on debian.org. b) Use the domain of the ISP of the zombie-machines. c) Actually do register a throw-away-domain for a single spam-run. Domains are fairly cheap and it is possible to send very very much spam before blacklisting takes effect. In fact spammers already use throw-away-domains for the websites that they need to operate to sell stuff. I myself am not going to put SPF-records on my DNS because limiting my mail sending options would be a major inconvenience and I do not wan't to let spammers inconvenience me. That feels like almost giving up. For a single person the inconveniance is often acceptable, but limiting all the customers of an ISP to sending through a small set of servers sounds to me like a customer service nightmare.
Attachment:
signature.asc
Description: Digital signature