On Mon, Nov 13, 2006 at 01:48:36AM +0000, Jon Grant wrote:
Could you tell me if SPF is widely adopted now? Is my understanding
correct, in that if all domains had SPF records set in the DNS fields
this would prevent fraudulent spam. But it would still mean that
spammers could have accurate SPF records for their domains and then send
spam from those domains?
SPF is not about spam. SPF is about forgeries.
Let the spammer use his own domain, fine. It may even be SPF protected.
Who cares if a message is forged or not: if it is from a spammer domain,
I don't want it.
And no, if everyone publishes a record, that won't do any good. What
is needed is that everyone >>also<< >>uses<< the records published by
You want your record to be used by others (because you want forgeries
to stop). Then you can understand that others want you to check their
records as well.
I could also see a potential problem where a spammer has a compromised
machine on a Tiscali ADSL connection, he looks up from his list email
domains which can send email from smtp.tiscali.co.uk and inserts
user(_at_)tiscali(_dot_)co(_dot_)uk in the MAIL FROM field. Would that defeat
protection SPF provides?
In stead of sending out millions of messages from a random domain, the
spammer needs to know the mail configuration of the hacked host, and
use that. Makes life more complicated for him, no?
But the most important thing is: you won't get the bounces. At least,
not if everyone starts using SPF records when they receive mail.
If the hacked account gets millions of bounces, how long do you think
it takes before that user will clean his zombie-PC ? I can tell you
this: much sooner than when that same zombie-PC sends mail in your name.
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
please go to http://v2.listbox.com/member/?list_id=735