Phil Karn wrote:
And it's not too easy for a spammer to create or acquire valid domain
names, publish the appropriate SPF records in the DNS, and start
spamming? He could register and rotate among dozens or hundreds or
thousands of domain names from which to spam, periodically updating
his SPF records in the DNS as he changes IP addresses. Note these
wouldn't all have to be different second-level domains; he could stick
his own third-level names on his collection and publish distinct SPF
records for each one.
That sounds to me like it's the spammer's prerogative. Remember, SPF
does not claim to stop spam, it simply claims to help prevent email
forgery, which many spammers use to hide their identities. I would much
prefer the spammer who operates like you describe above than a spammer
who forges all of his email, because then I can track him down through
his registrar. Managing large amounts of throw-away domains also
increases his costs a bit and hopefully will help discourage small-time
spammers who don't have the capitol to operate this way.
---
Dustin D. Trammell
Vulnerability Remediation Alchemist
Citadel Security Software, Inc.
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦¾Øß´ë�ù1I�í-»F�qx(_dot_)com