On Thu, 9 Sep 2004, Douglas Otis wrote:
On Thu, 2004-09-09 at 08:07, Sauer, Damon wrote:
Dean,
You are missing where this is a GOOD thing. We WANT spammers to use
SPF. This will allow us to identify, publish, process, shred, pillage, burn,
destroy the IP addresses that this stuff is coming from. Nobody is doing
less stringent processing of the email that passes an SPF check. It just
makes it easier to block when identified.
How do you know the spammer has not bothered to include addresses of
legitimate MTAs? The obvious adaptive strategy would be to disrupt this
presumptive use of spammer's information as-if it were trustworthy.
Yep. Suppose you have a piece of spam. You look at the from address. Can
you check the SPF record for that domain? No. Its probably changed between
the time the message was sent and the time you looked at it. You can check
the original IP address that your MTA logged in the received header. But
YOU COULD DO THAT BEFORE. I don't think I'm the only one thinking "duh!"
just about now.
You might as well go back to domain name blocking. But YOU COULD DO THAT
BEFORE, too. (another big "duh!". We don't do that because spammers send
from big ISPs that we can't block, or use viruses to steal resources from
innocent domains. Or use disposable accounts.
--Dean
The value of SPF is clear when white-listing as a means for reducing
false negative assessments.
There is already a two line rule for sendmail and other MTAs to do IP
based whitelisting, and great software, called rbldns. I don't see a
benefit in replacing something that works with something that offers
benefits to spammers and abusers.
SPF will never serve as a tool for blacklisting for what should be
obvious reasons. There is a risk presuming the domain identified using
SPF has not been spoofed somewhere in the mail channel. SPF does not
allow the IP address to be trusted to allow address blacklisting beyond
the current connection, nor does SPF really allow the MAIL FROM mailbox
domain be trusted to a degree that would allow name blacklisting, as it
fails to accurately identify the entity introducing the message. The
mail channel is often shared and there is no means to verify the channel
is being checked at either end of the administrative realms.
What he said.
-Doug