[snip]
Going back to my spam examination where you are examining a
spam message: Suppose the IP address in the received from
header no longer matches the SPF records: In this case you
don't know if your SPF check passed because DNS records were
spoofed, or if the real DNS records were changed. All
you know is that you got a spam from a certain IP address.
You don't know
whether it was forged or not.
This is why the delay time is there. (28 days?) If it is no longer
there, then it *MUST* fail.
Delay time?
*MUST* fail???
What are you talking about?
I apologize. I was actually thinking about something else when I wrote
that. Don't know how I missed it in my re-read.
So here is the answer I meant to give.
So the IP address changes- So does the SPF record. The two should not be
out of sync. This is an administrative issue.
Suppose the IP address in the received header does match the SPF
records. You don't know if the abuser signed up for an
account with
that domain, or if they got an infected machine under that domain.
You don't know whether the nameserver was cracked, and incorrect
records added. Most people can't tell the difference between a
poisoned DNS cache and whether the records really come from an
authoritative nameserver or even figure out where they got the DNS
record from. So, similarly, all you really know is that you got a
spam from a certain IP address.
Again, in this case it *MUST* fail
Why would it fail if it the SPF "check" succeeds?
Or is this just another case of blind faith? Yes, it *must*
fail if SPF is
to work. Except that it doesn't fail, and as a result SPF
doesn't work.
That is not at ALL what it means. What it means is: It failed.
It must and will fail.
Just because the SPF record belongs to a spammer and the SPF check
doesn't fail DOES NOT mean that SPF failed. It means it SUCCEEDED.
[snip]
They already do this. Every day. You seem to be saying that
AOL sends no spam, and has no spammers, no viruses, no stolen
accounts???
This is a very low percentage of spam and killable using other methods.
I note that you wrote this notion as an admin for Bell South.
Has Bell South been able to clean spammers out of Bell
South? Or clean virus infections out of Bell South? Or make
it impossible for Bell South users to get viruses, worms,
etc? Or do they just whack them as the find them?
Or is this just another "blind faith" that you //think// will happen?
If you've found some special immunity from
spammers/viruses/worms, then I
think you should share that. //That// would be far more
valuable than SPF.
If we could prevent spammers/viruses/worms then we wouldn't
need anti-spam
tools at all.
My opinions in this discussion group have always been, and always will
be, my own.
I delete my 'official' signature before I send any email to this group.
If I wished to make an 'official' comment, it would be marked as such.
Most people here know who I am and what I do. This lends itself to my
credibility in a technical discussion, as I have direct, volumetric, and
personal experience in direct relation to the issues.
I hope you will understand why I believe the above is completely
inappropriate and request that my employer not be brought into the
discussion.
Regards,
Damon Sauer
*****
The information transmitted is intended only for the person or entity to which
it is addressed and may contain confidential, proprietary, and/or privileged
material. Any review, retransmission, dissemination or other use of, or taking
of any action in reliance upon, this information by persons or entities other
than the intended recipient is prohibited. If you received this in error,
please contact the sender and delete the material from all computers. 113