ietf-mailsig
[Top] [All Lists]

Re: Web pages for MASS effort

2005-01-10 09:31:45

In 
<1105369526(_dot_)5698(_dot_)89(_dot_)camel(_at_)hades(_dot_)cambridge(_dot_)redhat(_dot_)com>
 David Woodhouse <dwmw2(_at_)infradead(_dot_)org> writes:

On Mon, 2005-01-10 at 09:37 -0500, Andrew Newton wrote:

How would you characterize its "massive" acceptance compared to 
everything else?

As far as I can tell, it's largely due to extremely disingenuous
marketing on the part of the SPF advocates. [...]

It's also due to the fairly misleading nature of statistics. The
statistic which gets quoted is the number of domains publishing SPF
records -- about 0.3% IIRC. However, that includes those who end their
record in '?all', which is mostly a no-operation. And more to the point,
there are far fewer people actually _checking_ SPF and rejecting mail
for a failure.

David, your statistics and complaints are extremely disingenuous.

I have posted statistics about SPF usage both to the SPF-discuss list
and to MARID that show a far higher publication rate, both in terms of
absolute numbers of domain published and in terms of email volumes.  I
know that you have read (and posted) to both of those lists.

I have published statistics that show that most SPF records end in
-all.  Publishing SPF records with ?all is not a no-op as long as most
legitimate email from that domain gets marked as PASS.  If the SPF
check passes, then you can much more reliably whitelist *or* blacklist
that domain.  The fact that many spammers publish SPF records is great
because we can now blacklist them easier.  The same goes for spam that
will be correctly signed with DK or SES, or passes CSV checks.  While
it would be great to have all email correctly identified as either
authorized or not, neutral/unknown cases will exist for many years.

While there are fewer mail admins checking SPF records than
publishing them, all the evidence I have indicates that there is more
email checked against SPF records than all other designated sender
systems combined.  


I do see the point in accepting something which is 'good enough' rather
than striving for perfection, but I don't think that SPF is it. SPF just
has too many false positives, and the idea that people will all
implement SRS is really just a pipe-dream. Given that DomainKeys is
deployable today, I really can't see the justification for pushing SPF.

Lots of stuff is "deployable today", the hard part is doing the work
to actually get it deployed.  I've been hearing about DK since the
summer of 2003.

I keep looking, but I have yet to see real-world data on the
false-positive rates for things like DK, CSV, SenderID, etc.  The
SpamAssassin folks (Thanks Justin Mason & Dan Quinlan) published
information about SPF's false positive rate at least a year ago.  The
scores that they released in their 3.0 version shows that SPF is
useful, but not infallible.  I don't know what their plans on checking
things like DK or IIM is, but I hope they do and I know I will be
interested in seeing their results.



My definition of 'good enough' would be DomainKeys, IIM etc. as they
stand today, used only for the 'most recent sender'.

By the 'most recent sender', do you mean that you think it is 'good
enough' to require mailing lists to re-sign their traffic?

Do you have real-world data on the false-positive rates on these
schemes?


-wayne


<Prev in Thread] Current Thread [Next in Thread>