RE: Maybe simple question
2003-12-16 23:25:17
--"Vivien M." <vivienm(_at_)dyndns(_dot_)org>:
The question, I think, is whether universality is the goal or not. That's
my real concern. If organizations aren't pressured to hastily publish
SPF, then I don't see a problem... not one that the spec can fix,
anyways. My concerns with SPF have to do with the HUMANS setting it up in
a particular organization (humans whom I obviously view in a more
negative light than many others on this list), not with the technology
itself - in capable, honest, well-thinking hands, SPF as it stands is a
perfectly good piece of technology (though I would have preferred it not
use TXT records, but I won't start THAT fight all over again). But then
again, a knife in the hands of a cook is a perfectly harmless and
beneficial thing, but the same knife in the hands of a serial killer is
not... and that, I think, is a good analogy to describe my position.
Thank you for the reply, that clarifies much, in terms of your original
point and your motivation for writing. Actually, I think we agree much
more than we disagree. I certainly think that anyone who changes stuff
"hastily" and rides rough-shod over users they are supposed to be
supporting, is not really operating in the true spirit of SPF.
I do think it will take a *long* time to get full adoption. I will not put
large amounts of money on this but if I were to guess, I would say it's
probably 5 years before anyone can seriously start blocking non-spf
domains. In the meantime, SPF might provide a boost to get mail a higher
score on SpamAssassin and the like, and non-spf might downgrade folks a
bit. But I don't think the effect will be at all noticeable in a year,
possibly more. Which is why I am a passionate advocate of "This will take
a *hell* of a long time, so we should get started *now*.
Let me go back to a couple other things you said, though these will be
minor points...
Yes, I do... And I have a problem with an antispam method turning into a
way to make such an IT department able to screw over people more.
I'm not a big fan of IT... I prefer working in a production operation and
not having to deal with users, but I have been in helpdesk-type roles
before.
So, the cynical side of me thinks "IT will screw you over with whatever is
at hand, whether it be SPF, MS Exchange, firewalls, staplers, dry-erase
markers, cracked CD's from old NT service packs, whatever." :)
Free _tools_, yes... But what about the hardware it runs on? The bandwidth
it uses? The staff members' time to set it up? If you're a cash-starved
.edu, those are important things.
I don't have a lot of data on this, granted. But here is one data point...
I run my home network on a shoestring budget, which is why I use Linux.
So, this weekend I sought to add SMTP AUTH to my own server. Turns out the
software I needed was already installed (sendmail) and I just had to alter
a config file or two to get SASL working.
SPF is for those domains that *choose* to limit their senders, not
publishing is still a viable option.
Okay, so you're claiming that SPF should not be universal? If you are,
then that's fine - the impression I got was that this was an effort to
WIDELY deploy this technology as quickly as possible.
Right, the question of time is anybody's guess here. I advocate doing it
"soon" but not at the expense of other factors. Realistically I recognize
that there are millions of domain owners that will not even become aware of
this, let alone implement it, for probably years.
In that time I'm expecting most SMTP vendors will include smtp auth in
their upgrades - sendmail and Exchange already have it. ISPs and EDUs will
learn about it from their peers and hear both horror stories and success
stories, hopefully more success stories as time goes on.
You and I have different experiences with large residential broadband-type
ISPs, it seems :)
In my geographic area, at least, those ISPs care about their customers as
much as a sweat shop owner cares about his illegal immigrant employees.
Good luck getting any type of personalized service - all you get is the
friendly outsourced call center when you have a problem, and an address
to send your bill payment (actually, that's a figure of speech - they'll
just debit your credit card). And if you want to walk, well, let's just
say this describes the two big players that most people are aware of.
Yes I have actually worked with this ISP. (Ow my ass!)
But, they do offer new features from time to time, and they will
(eventually) move with the times, especially if their competitors start
moving as well.
This is another thing that changes shape when you think of "quickly means
3-6 months" vs. "quickly means 3-6 years"...
Also, what kind of SMTP servers do you use? MOST servers out there, at
least the ones that I'm aware of, along with their admins follow the
"send through the local SMTP server" part of the
"relay-for-your-local-IPs-only, accept-for-your-local-recipients-only"
model.
I agree with you on this too... I think you described in an earlier post
(or someone did) the process of locking down relays as being something
like...
1. All relays were originally open.
2. "Oh my god why are we being blocked?"
3. Limit relays to only known-local IPs.
smtp auth has been around for a while but it is not the normal thing. I
think as more and more users ask for it, more and more ISPs will configure
appropriately.
It's all about what you want to do with mail from non-SPF places: I got
the impression from Meng's posts at the beginning that, in the long run,
mail from non-SPF-publishing domains should be bounced. THAT's what I
have a problem with.
A lot of people would see that as the "ultimate dream" but I think it's
more realistic to assume that SPF will grow and probably change a couple
times before it gets to even 50% of internet servers, and I think that will
be years. At first I see it as being a small hit to the filter score,
which along with several other factors might help detect spam. Eventually
some sites will start to block on it (like universities and small
companies) but they will probably be seen as the fringe or at least the
bleeding edge.
I have long said (in other forums where I occasionally speak up, and to my
friends) that I don't believe spam is a problem that can be solved through
technology. My fear is that, in the process of fighting spammers,
virus/worm authors, and other issues, computing and the Internet will
turn into a glorified TV set top box.
[...]
I happen to think that putting murderers in jail for a
very long time is a much better way to decrease homicide rates than to
make knives that can't stab people, and I think that an all-expenses-paid
vacation to Club Fed for 10 years for some key high-output spammers would
probably lead to a more drastic reduction in spam level than partial SPF
implementation.
That's getting into a philosophical side that is probably very contentious,
and I'm not really ready to debate technical vs. legal solutions right now.
Let me just give a sort of "cop out" answer and say: I don't really think
the ultimate answer to the spam problem will be entirely technical, or
entirely legal/legislated. I think spam is such an enormously huge problem
that it will take dozens or even hundreds of solutions, some technical,
some legal, some neither. (I am a big fan of "economic" solutions myself
but that's pretty off-topic for this list :) There are a lot of really
great ideas, but no single idea is good enough to make all others
unnecessary. So, I think of SPF as being "necessary but not sufficient" to
solving the spam problem.
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡
|
|