[Top] [All Lists]

Re: SPF I-D for review: draft-schlitt-spf-classic-01.txt

2005-05-21 01:08:00

Richard Clayton wrote:
not that I'm not impressed, but this isn't a huge amount yet :)

Indeed, but after my own ISP published a SPF FAIL sender policy
more than a year ago, and it wasn't exactly an "early adopter",
the "experimental" phase is now done.

One important point about it, it's a voluntary system.  Unless
they get tons of "backscatter" normal domain owners can ignore
it.  And of course some domains like say have more mail
users than others.

ISC says there were 317 million hosts in January

For SPF you'd need a good guess of domains used in mail, and
then add voluntary participants (= victims of backscatter)
plus spammers thinking (incorrectly) that a PASS result helps.

The adoption rate is still a bit diappointing.  It's probably
a side-effect of the MARID disaster with its confusion about
v=spf1 and spf2.0/pra (they are different and incompatible).

And of course the insane hype about SPF as some "FUSSP" died -
in fact that's good, but won't attract clueless masses anymore.

So << 1% ?  (even less if spammers use SPF, which they do)

The last German rightwing propagada worm (Sober-Q) ignored SPF,
in other words it forged also my vanity host catch-all address
despite of its SPF FAIL.

OTOH this was the first case of "backscatter" (less than 100) I
got in the last eight months.  Sites checking SPF have rejected
this crap with my addresses, and mail worms don't bounce.

The idea is to stop forgeries.  If you see zero percent of spam
with forged addresses ("forged" as defined by SPF, DK, etc.) 
this battle is over.  Don't hold your breath, and of course it
doesn't mean zero spam.
                            Bye, Frank