Ian Eiloart wrote, On 6/22/09 10:16 AM:
--On 22 June 2009 07:19:04 -0500 Gordon Peterson <gep2(_at_)terabites(_dot_)com>
wrote:
[...]
In my personal mailboxes I have (way) more than 50,000 archived
bounceback messages to e-mails which I have never sent... just because
they have a (forged, and generally invalid) From: address that is
supposedly in one of my domains.
Since I haven't sent these messages (neither intentionally, nor by
irresponsible management of my systems here) there is NOTHING I can do to
prevent such messages.
There is, actually. If you publish SPF records with a strong -all, then
recipients can easily decide to reject (not bounce) messages. Add DKIM
signatures, and they'll be able to tell when someone has forwarded your
legitimate email.
Do you have any evidence that this actually works to any detectable degree?
I have solid proof that it is far from perfect, but I only have a handful of
addresses that ever had significant bogus bounce flow in the one domain I
could safely use in a SPF '-all' effectiveness test. The first 5 years of
that test have shown a slow drop in the rate of bad bounces in general
offered to that domain, but it isn't much more proportionally than the drop
from a dribble to a trickle that I've seen for a domain with no SPF record.
The noise in my minuscule and weakly controlled data makes it quantitatively
worthless, but on a qualitative basis it makes clear that strong SPF records
are not yet a strong universal tool for preventing blowback bounces.
If you are aware of SPF being any more useful than prayer at controlling
blowback, please share it.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg