On Fri, 10 Sep 2004, Sauer, Damon wrote:
<snip>
Dean,
You are missing where this is a GOOD thing. We WANT
spammers to use
SPF. This will allow us to identify, publish, process,
shred, pillage,
burn, destroy the IP addresses that this stuff is coming
from. Nobody
is doing less stringent processing of the email that passes an SPF
check. It just makes it easier to block when identified.
SPF doesn't make it easier to identify spammers.
<snip>
I didn't say it did. How I identify the IP as a spammer is up to my
other processes. What it DOES do is allow me to make a informed decision
on whether or not to block that IP. (I am not sure how many different
ways I can try to explain this fact but here is another one)
But SPF doesn't allow you to make any 'informed decision'. Your 'other
processes' do that. SPF doesn't enter into it at all.
Only people that don't understand what SPF actually does say that SPF
blocks spam.
I agree. SPF fails to block spam.
Now I do know that pobox has said something to this effect,
but it is my belief that they were writing that statement with the
end-user in mind. Basically, never mind HOW it blocks spam, just that it
will. It is up to the system admins and programmers to determine the
HOW.
??? Just have blind faith that it works??? We did this back in 1997 and
many times since then. The blind faith didn't work then, nor did the
anti-spam schemes. Thats why schemes are being held to more exacting
standards of proof of effectiveness this time, and if the scheme isn't
proven effective, then we aren't interested in giving up those things
(such as unbundling email services) that are required for this scheme,
because it doesn't work, and we aren't interested in any more expensive
and large scale proofs of failure.
If someone of intellect higher than your average bumblebee can't see
where being able to prevent domain forgery is a good thing and being
able to put an IP address to a real domain is a great thing.... Then
bumblebees may eventually rule the world.
Preventing domain forgery will have no effect on anything, and having no
effect, it can't be good or bad. Well, it can be bad if it has some other
detrimental effect, such as interfering with unbundled services, which is
the case here.
Secondly, and more to the point, I think, is that SPF doesn't prevent
email address forgery, which is its //specific goal//.
We can already associate an IP address with a domain via MX and A records.
However, these checks aren't valid except to show that domain //can//
receive email. We already know through experience that many more servers
might validly send email from that domain.
--Dean