ietf-asrg
[Top] [All Lists]

Re: [Asrg] Re: Disaster looming: SPF

2004-12-09 02:58:10
On 12/5/2004 4:49 PM, Frank Ellermann sent forth electrons to convey:

Matthew Elvey wrote:

SPF breaks MUCH MORE than is necessary to achive sender
authorization and authentication.
That's not true.
SPF breaks (some) forwarding. SPF breaks configurations of users* who send from more than one address!
These were discussed here before, yet you are you denying the breakage.

CSV achives sender authorization and authentication without such breakage!

SPF is simply a way to enumerate all IPs of
MTAs using HELO do.ma.in or MAIL FROM:<user(_at_)do(_dot_)ma(_dot_)in>

The drafts claim to do a lot more than that. (Also, SPF is marketed as a way to identify and discard junk email.)


A bigger problem is the ISP end-user support nightmare
looming around the corner: the reconfiguration of every power
user's MUA, since SPF breaks their current configuration.

How do you define "power user", direct-to-MX maybe ?
No, see comment*.


It's not going to happen.

Ok, it would cost comcast alone $58 million to reconfigure their population to use mail servers 'correctly' to avoid port 25 blocking, according to news articles. How much will it cost to reconfigure the world's users with more than one email address to use the 'correct' (according to SPF) mail server for each address - if their mail software even supports such a configuration!? :(

Just watch while it's happening, worms and spammers daily forge
addresses of innocent bystanders, and everybody hit by the side
effects of these forgeries is an SPF addict within hours.
Sorry, but I'm hit by these side effects, but I'm no SPF addict. What big sources of backscatter are going to stop sending me spew if I start taking the SPF drug? Heck, elvey.com has an SPF record with a ~all, and it _still_ gets tons of backscatter.

* http://www.imc.org/ietf-mxcomp/mail-archive/msg01175.html :
Are users forced to send through MTAs authorized for the domain they use in outgoing mail: no for CSV, yes for SPF. Wow, that's not a lot of systems that need touching in order to continue to work, relatively speaking! (Around 2 orders of magnitude (10000% in marketspeak) greater than CSV).


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg