Barry Shein <bzs(_at_)world(_dot_)std(_dot_)com> wrote:
On September 10, 2004 at 17:21 esr(_at_)thyrsus(_dot_)com (Eric S. Raymond)
Barry Shein <bzs(_at_)world(_dot_)std(_dot_)com>:
Spammers no longer use static domains, and they haven't for years.
That's right. They joe-job my domain instead, and I get over a
thousand bogus bounces a day. If SPF deployment does nothing but stop
that (which it can), it's a win. Meng has picked this piece of the
problem and is addressing it effectively.
So now SPF is mostly useful for people with vanity domains who run
SMTP for those vanity domains?
No, it's useful for anybody with a domain who doesn't want to receive
bounces for forgeries of his domain. That includes, for instance,
mail.com; big enough for you?
What it's doing is introducing widespread authentication (PAPERS
PLEASE!) without any obvious or widespread benefits to even remotely
The benefit is that nobody can get away with forging email from my
domain unless he can actually send it from an IP address I've
authorized it to emanate from. I think that's good.
If I ran an ISP, I wouldn't authorize every dialup luser to emit mail
with my name, I'd authorize only my mailservers. The lusers can send
mail via the mailserver; that's what they're supposed to do.
No, SPF is not only mostly useless and ill-conceived, it has a
dangerous civil liberties aspect to it that goes beyond, e.g.,
anything I have to do to mail a paper letter or make a phone call.
If you don't claim to be from my domain, my SPF record has nothing to
do with you. The recipient always knows the IP you're sending from,
and the domain you _claim_ to be. The only thing SPF adds is the
ability for the owner of that domain to specify whether or not that IP
is _authorized_ to send email for (from) that domain.
So I, and everyone else, has every right to demand to know, and
examine carefully and critically, what the benefit is before we're all
asked to show our identification every time we want to send an email.
You're showing the same information. Whether or not SPF is published
is up to the domain owner. Whether or not and how the result of an
SPF check is applied is up to the recipient, as always.
But if the benefits are so thin and vaporous I say to hell with it
So ignore it. But please don't send me bounces for forged mail that
came from IP addresses I didn't authorize to send mail from my domain,
lest you be considered a spammer.
Asrg mailing list