On Wed, Dec 08, 2004 at 01:44:13AM +0100, Frank Ellermann wrote:
Ya know, not all mail users are also MTA admins/developers.
If you're hit by 1000 bogus bounces
You use SES or Mark's SRS-like trick, with less impact on other
functioning of mail.
/ challenges / vacation
mails per day -
If they're in response to forgeries, SES hits them too.
Unless they use a non-empty envelope sender, but then the operators and
developers of those systems should be shot.
in addition to the ordinary spam - and equipped
with a modem, then you're willing to learn these things fast.
Frankly, I'm a high scale mail user, my mail address has been in use for
more than 5 years, it's visible in the web and in Usenet news.
Things work still. I'm getting less than 100 spam mails per day
(including a .forward from another address which is quite old too),
and I do count virus notifications, vacation mails etc. among spam too.
Statistical filtering still works quite well.
Lazy users might try to get a bigger mailbox and DSL first, and
maybe they disable the catch-all for their vanity domains, but
whatever they do, sooner or later they either give up on SMTP
or look for real solutions.
I am, at least, not (yet) at that point, even without having SPF or SES
implemented on this site (yet).
And, as others already said: SPF won't stop spam. It will stop some
auto-responses to forgeries, which will be one use I'll probably enjoy
too. It'll make it a bit easier to use blacklists against spammers again
(though not so much, throwaway domains are still too cheap, so the SPF
aware spammer will get one, publish an SPF record that allows all his
IPs as well as IPs of computers he hacked, and get fine SPF passes and
no blacklist entry - ok, it'll gain him a blacklist entry soon, but
usually only after the current spam wave is over. And the next spam wave
just gets another throwaway domain, that increases the costs of spam
just by a few percent, sorry to be pessimistic about that a bit, but
SPF alone won't help; SPF pass w/o whitelist can be spam too, SPF pass
w/ whitelist can be less spammy, of course, but SPF pass w/o whitelist
shouldn't be counted as spam either, as else valid replies to my Usenet
postings wouldn't come through either).
And in this last paragraph, you can substitute *many* sender
authentication schemes for SPF, too. Sender ID won't do that either.