On Mon, 13 Sep 2004, Peter Bowyer wrote:
Dean Anderson <dean(_at_)av8(_dot_)com> wrote:
On Sun, 12 Sep 2004, Peter Bowyer wrote:
But AOL won't have spammers on their whitelist. The only domains for
which an SPF Pass means less filtering are those which are
pre-whitelisted. And SPF will ensure that mail which appears to be
from those domains isn't forged.
This is a false assumption. Any domain that is whitelisted will
attract spammers to that domain. There is no domain or ISP that can
claim not to have spammers ever.
They don't whitelist ISP domains - only responsible bulk email senders.
People whose mail you want your users to receive.
Yes, such as MSN.
Whether you use SPF as the reduced testing mechanism or some other
mechanism is irrelevant. The 'bad thing' is to ever subject some mail
to less filtering.
Wrong. You submit mail which you've already determined as 'truested' by your
own reputation mechanism.
This "trust" is a false assumption. MSN doesn't know whether a particular
message is spam, until it gets a complaint. It doesn't know whether a
computer is virus infected until it gets a complaint. It can't certify
that it doesn't have spammers or virus infections or worms or etc. No one
can. If MSN and AOL make that assertion, and that assertion is accepted by
others, this fact alone will make MSN a target for spammers, viruses,
worms, etc. This is why reduced filtering promotes more spam.
> What's your problem with this? It's using SPF for exactly what it was
intended, and the fact that spammers publish SPF will have no effect
on it at all.
SPF has no effect on anything except to interfere with legitimate
email unbundling. SPF allows MSN and AOL to conspire to prevent email
outsourciing, or to charge the outsourcers for the "privelege" of
having an SPF record, or to interfere with such outsourced email by
having unreliable nameservice for the outsourced SPF records. In
exchange, SPF has no impact on spam, whatsoever. Thats my problem
with SPF.
Well, you're entitled to your view, but your appreciation of the facts in
the case of AOL is clearly inaccurate. And please remember that SPF is an
authentication framework, not an anti-spam tool.
Likewise, you're entitled to your view, and we may have to agree to
disagree. But besides your false assumptions of trust, you don't seem to
appreciate the fact that DNS cannot be used for an authentication
framework because it is so trivially and easilly spoofed. We learned the
vulnerability way, way back with the Morris worm and the BSD R-command
exploits.
--Dean