On Thursday May 13, michel(_at_)arneill-py(_dot_)sacramento(_dot_)ca(_dot_)us
wrote:
Neil Brown wrote:
people who think that MARID and/or SPF are cheap ways
to curb spam and/or phishing schemes are simply wrong.
It isn't that easy.
You missed my point: people will use MARID and SPF in any way they see
fit, not according to the way the IETF think they should. This has been
proven over and over.
Undoubtedly.
However, what people "see fit" will likely be influenced by what they
hear/read.
If people hear "MARID and SPF can stop spam", they are more likely to
use it to try to stop spam than if they hear "MARID/SPF gives useful
weighting to spam detection heuristics".
Obviously the first is easier to say and more attractive, so more
people are likely to say it and to listen to it. But those who
understand the realities should make an effort not to make such untrue
statements, and to counter them when they are made. That way
(hopefully) fewer people will make uninformed decisions.
SPF only has real value when it says "pass" - the
return address looks valid. When it does that, you
can reliably check the address against a white list
or black list, and can return advisor messages to
the address. When it says "fail" or "neutral" or
"softfail", you can add that as a negative weight
to heuristic spam filtering. The more sites that
publish reliable SPF, the more negative the weight
can be.
I understand this, nevertheless people that have chosen aggressive spam
filtering techniques will likely see it another way, which is more black
and white: fail = dump, anything else = process through
white/blacklists, heuristics, etc.
That is certainly their choice, hopefully with informed consultation
with their customer/clients/colleagues. I just think that the
language used in public discussions and especially in standards
documents should make the realities and the consequences clear.
My observation is that a lot of the language used is more
pie-in-the-sky than reality.
Thankyou for your comments.
NeilBrown