On Thu, 2004-09-09 at 13:16, Sauer, Damon wrote:
You are missing where this is a GOOD thing. We WANT spammers to use
SPF. This will allow us to identify, publish, process, shred,
pillage, burn, destroy the IP addresses that this stuff is coming
from. Nobody is doing less stringent processing of the email that
passes an SPF check. It just makes it easier to block when
identified.
How do you know the spammer has not bothered to include addresses of
legitimate MTAs? The obvious adaptive strategy would be to
disrupt this presumptive use of spammer's information as-if
it were trustworthy.
I am not looking at the SPF record at this point. I am looking at the
IP address they connected from.
If the mailbox domain has been safely blacklisted, then no confirmation
with respect to the IP address from the SPF records is needed. Should
abusive mail be discovered, it would be unsafe to conclude the SPF
mailbox-domain/IP address confirmation is tenable for establishing a
name blacklist. Only the IP address has received sufficient
authentication for such a listing, but then this has not improved upon
current IP address blacklisting.
Am I misunderstanding your question? This just seems too obvious to me.
If you are only looking at the address, then there is no advantage
obtained using SPF records.
The checks that I DON'T have to do are against the received from:
headers. I already know. If you want to call this 'reducing
filtering' so be it. But it is a reduction because the check that
you used to have to run is no longer necessary.
This would seem to imply you are checking the mailbox domains?
The value of SPF is clear when white-listing as a means for
reducing false negative assessments.
SPF will never serve as a tool for blacklisting for what
should be obvious reasons. There is a risk presuming the
domain identified using SPF has not been spoofed somewhere in
the mail channel. SPF does not allow the IP address to be
trusted to allow address blacklisting beyond the current
connection, nor does SPF really allow the MAIL FROM mailbox
domain be trusted to a degree that would allow name
blacklisting, as it fails to accurately identify the entity
introducing the message. The mail channel is often shared
and there is no means to verify the channel is being checked
at either end of the administrative realms.
Please provide an example of how this would happen. I am completely
missing your chain of thought.
There are many cases where an MTA is shared. This may be due to
transparent interception, virtual hosting, ports blocked by providers,
where many of these configurations ARE effective at curtailing abuse.
If one of these MTAs is not checking against the SPF record, or the SPF
record is open, then there is no assurance a mailbox-domain appears on
account of the entity that published the SPF record. There is no
indication a check has been made, nor that the MTA is being shared. A
breach in the mail channel integrity can happen within either the
receiving or sending realm. An SPF blacklisting fails to locate the
accountable entity.
Beyond white-listing, SPF may even be viewed as dangerous, when there
are expectations more can be obtained using this mechanism than is safe.
-Doug