Douglas Otis wrote:
Contrary to the promotions, SPF will not stop spam.
This is typically one of the noob objections. I will show you why, in the
larger scheme of things, SPF most certainly helps the fight against spam.
... and a slew of modification made to every email client.
You got yourself confused with the thingy from Redmond, didn't ya? SPF is
inter-MTA based, and requires no changes to email clients
whatso-frickin-ever.
I can not accept the premise there are no serious concerns related to
publishing SPF records. No scheme without a reputation assessment will
prevent email abuse.
How poor, I must say, is your understanding of SPF. Especially so, since
SPF actually greatly helps the reputation assessment! SPF 'funnels', as it
were, the use of domain names through specified, authorized relays. Once
you have 'locked in' the authorized use of an SPF-protected domain name,
you can then confidently consult a reputation service for that domain. To
give an example, with SPF, I can now confidently query:
aol.com.rating.reputationservice.com
Abusers are among the first to adopt changes offering greater access.
Which example allows me to counter the ever recurring noob-objection: "But
spammers can publish SPF records too, and so 'bypass' security by getting
a PASS!" Counter, because, due to the 'funneling' effect I just spoke of,
spammers will gradually be forced to use only their own domain names. At
which point they can be block-listed by domain name even.
To give an example again, say, a spammer registered "spammer.com", and
published SPF records to produce a "pass". With SPF, I can now confidently
query:
spammer.com.rating.reputationservice.com
You see? Causing a "pass", the spammer has only achieved to hang the noose
around his own, identified neck! This 'bypass', as noobs call it, is an
intended, and desired, effect of SPF.
And thus, SPF helps to facilitate the return of domain name block lists
and/or domain name based reputation databases. And a domain name based
reputation database has great advantages. For one, because the maintainer
of said database no longer has to bother with ever-changing IP addresses.
That is the beauty of SPF: the domain owners themselves define the
authorized IP addresses; the reputation database just lists domain names;
and the one making the query does the SPF query for domain X against the
connecting IP address to see whether the relay is actually authorized to
use the identity.
To sum it up:
1): Spammers causing their registered domains to "pass", only identify and
set themselves up to be block-listed.
2): Email sent with reputable domains, used without authorization by
spammers, are protected -- hence exempt from erroneously being counted
towards spam and bad reputation!
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx