On Sat, Jun 12, 2004 at 03:06:39AM -0400, Hector Santos wrote:
Give me one site that really utilizes the client side of SPF?
Not sure what this question ask.
Let me see one serious site that rejects mail from AOL.com because the IP
that sent the message was not on the SPF list.
Serious business companies CANNOT do it, as it will raise their false
positive
rate and nobody will do that.
Whats the difference between a serious business and a just plain anyone else
running a legitimate mail server servicing end-users, internal or otherwise?
Nothing. Neither of these can reject messages based on SPF information.
I, as a private person can do, if I don't care to piss off some friends.
Local User Validation is (should be) a important part of the anti-spam
effort/design. Not only will it help eliminate the overhead in MARID lookup
requirements but it will also reduce your bounce requirements which is a
major part of the SORBIG-based virus dual-tier distribution logic.
For Sober use:
if HELO.host == MAILFROM.username"."MAILFROM.tld
if MAILFROM.username == MAILFROM.domain pass()
else reject()
but I agree on the local user validation.
That's the reason why most spam engines use the reverse MX path. We have a
special setup with a special backup MX and catch about 40% of all spam that
way.
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"