Isn't that what I said would happen?
--Dean
On Thu, 9 Sep 2004, Markus Stumpf wrote:
Justin Murdock posted this link on the qmail list:
http://news.bbc.co.uk/1/hi/technology/3631350.stm
"CipherTrust [...] found that 34% more spam is passing SPF checks than
legitimate e-mail."
\Maex
Date: Tue, 10 Aug 2004 19:55:57 -0400 (EDT)
From: Dean Anderson <dean(_at_)av8(_dot_)com>
To: 'IETF MARID WG' <ietf-mxcomp(_at_)imc(_dot_)org>
Subject: Analysis of SPF benefits for reduced filtering
It has been reported that AOL is already using SPF to give reduced
filtering to SPF-using domains. Is this a good idea?
IF you use SPF to provide less stringent anti-spam processing, then you
are MORE vulnerable than you were before. You have shot yourself in the
foot. Suppose for example that AOL subjects MSN users to less stringent
anti-spam filtering because MSN uses SPF. MSN is still vulnerable to
viruses as it was before it used SPF, and it is just as vulnerable to
disposable account creation as it was before. Using SPF will __attract__
abusers to MSN, because they can get more spam through to AOL, because it
is subject to less processing. Since AOL is doing less processing on the
same spam, AOL users get more spam. SPF is bad for both companies.
And of course, anyone who sets up a disposable domain can also get spam
through to AOL by creating an SPF record for the domain. Disposable
domains along with disposable or stolen accounts is a major problem now,
and it remains a major problem under SPF.
Anything that reduces spam filtering without reducing the number of
abusers will be harmful.
Basically, SPF gives abusers the opportunity to whitelist themselves, or
the opportunity to identify ISPs that may be whitelisted. Any kind of
whitelist that is under the control of the sender, rather than the
recipient is also going to be ineffective and harmful.
Dean Anderson
Av8 Internet, Inc