Yes, though many of the same problems still apply. It's not always
clear who is to blame for spam in an SPF world:
* Spammer misuses his ISP's SPF-protected SMTP server:
Is the ISP at fault. Can spamtraps put the ISP on automated
block lists?
This is simple. Just report the abuse to the SPF-Protected ISP's Admin and
therefore let them shut down the client if they are abusing it or notify them
to properly setup an RFC 2369 Mailing list with email unsubscribing and
therefore, would be considered legitimate spam. The reason why it would be
legitimate is that the ISP is giving the receivers a true unsubscribe feature
that will ensure that the receivers will be able to unsubscribe. However, with
SPF-Protected sites, there is absolutely no need to password protect a mailing
list as the sender is 99% the true sender.
* Mailing list includes spam:
Did the mailing list do the SPF checks wrong, or use the wrong
block lists (or white lists). Or is the spammer using a new
domain that looked legit.
Depends on how the mailing list is used. If the list is for members to talk
and spam is sent to it, the moderator would ban that user from the list. If
the list was designed to allow end users to automatically remove themselves
from these mailing lists should they reply back to the message with the word
remove in it, then it would be considered legitimate use as the maillist
processor would have to comply without any reservation immediately.
* Forwarding service sends out spam:
Again, who is to blame?
Again, report the issue and let them know that their forwarding service is
prone to being banned.
How about a spammer misuses his ISP to send mail to a forwarder
who forwards it to a mailing list? Blacklist all of them?
Nope, just look in the body of the message and see what domain he is trying to
refer back to. Then ban that domain altogether. This will be the Mailing
list's admin's responsibility to ensure that they are not allowed to send spam
through this list.
This kind of reputation publication can
*AND SHOULD* be done in many different ways. There can be RHSBLs,
RHSWLs, things similar to Habeas, things like bondedsender, etc.
Having registrars do detailed checking of who registers a domain is
certainly an option, but I suspect it will be either far too costly,
or far too easy to fudge.
If you have a reputation-based system then you need to decide what
to attach the reputation to. If you attach reputations to things
that can be created out of thin air as the need arises then you haven't
won much. Domains can be created out of thin air for pocket change,
esp. if you allow 3rd level domains to publish their own SPF data.
That's why you need to tie the reputation to a person. If the
registrars won't do that then someone else must.
Reputation system will not work well as it is too high maintenance. The
individual admins need to setup sieve filters on their mail servers and see
what can be done to remove as much junk mail within the SPF environment.
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦¾Øß´ë�ù1I�í-»F�qx(_dot_)com