RE: Maybe simple question

--"Vivien M." <vivienm(_at_)dyndns(_dot_)org>:

The question, I think, is whether universality is the goal or not. That's
my real concern. If organizations aren't pressured to hastily publish
SPF, then I don't see a problem... not one that the spec can fix,
anyways. My concerns with SPF have to do with the HUMANS setting it up in
a particular organization (humans whom I obviously view in a more
negative light than many others on this list), not with the technology
itself - in capable, honest, well-thinking hands, SPF as it stands is a
perfectly good piece of technology (though I would have preferred it not
use TXT records, but I won't start THAT fight all over again). But then
again, a knife in the hands of a cook is a perfectly harmless and
beneficial thing, but the same knife in the hands of a serial killer is
not... and that, I think, is a good analogy to describe my position.

Thank you for the reply, that clarifies much, in terms of your originalpoint and your motivation for writing. Actually, I think we agree muchmore than we disagree. I certainly think that anyone who changes stuff"hastily" and rides rough-shod over users they are supposed to besupporting, is not really operating in the true spirit of SPF.

I do think it will take a *long* time to get full adoption. I will not putlarge amounts of money on this but if I were to guess, I would say it'sprobably 5 years before anyone can seriously start blocking non-spfdomains. In the meantime, SPF might provide a boost to get mail a higherscore on SpamAssassin and the like, and non-spf might downgrade folks abit. But I don't think the effect will be at all noticeable in a year,possibly more. Which is why I am a passionate advocate of "This will takea *hell* of a long time, so we should get started *now*.

Let me go back to a couple other things you said, though these will beminor points...

Yes, I do... And I have a problem with an antispam method turning into a
way to make such an IT department able to screw over people more.

I'm not a big fan of IT... I prefer working in a production operation andnot having to deal with users, but I have been in helpdesk-type rolesbefore.

So, the cynical side of me thinks "IT will screw you over with whatever isat hand, whether it be SPF, MS Exchange, firewalls, staplers, dry-erasemarkers, cracked CD's from old NT service packs, whatever." :)

Free _tools_, yes... But what about the hardware it runs on? The bandwidth
it uses? The staff members' time to set it up? If you're a cash-starved
.edu, those are important things.

I don't have a lot of data on this, granted. But here is one data point...I run my home network on a shoestring budget, which is why I use Linux.So, this weekend I sought to add SMTP AUTH to my own server. Turns out thesoftware I needed was already installed (sendmail) and I just had to altera config file or two to get SASL working.

SPF is for those domains that *choose* to limit their senders, not
publishing is still a viable option.


Okay, so you're claiming that SPF should not be universal? If you are,
then that's fine - the impression I got was that this was an effort to
WIDELY deploy this technology as quickly as possible.

Right, the question of time is anybody's guess here. I advocate doing it"soon" but not at the expense of other factors. Realistically I recognizethat there are millions of domain owners that will not even become aware ofthis, let alone implement it, for probably years.

In that time I'm expecting most SMTP vendors will include smtp auth intheir upgrades - sendmail and Exchange already have it. ISPs and EDUs willlearn about it from their peers and hear both horror stories and successstories, hopefully more success stories as time goes on.

You and I have different experiences with large residential broadband-type
ISPs, it seems :)

In my geographic area, at least, those ISPs care about their customers as
much as a sweat shop owner cares about his illegal immigrant employees.
Good luck getting any type of personalized service - all you get is the
friendly outsourced call center when you have a problem, and an address
to send your bill payment (actually, that's a figure of speech - they'll
just debit your credit card). And if you want to walk, well, let's just
say this describes the two big players that most people are aware of.



Yes I have actually worked with this ISP.  (Ow my ass!)

But, they do offer new features from time to time, and they will(eventually) move with the times, especially if their competitors startmoving as well.

This is another thing that changes shape when you think of "quickly means3-6 months" vs. "quickly means 3-6 years"...

Also, what kind of SMTP servers do you use? MOST servers out there, at
least the ones that I'm aware of, along with their admins follow the
"send through the local SMTP server" part of the
"relay-for-your-local-IPs-only, accept-for-your-local-recipients-only"
model.

I agree with you on this too... I think you described in an earlier post(or someone did) the process of locking down relays as being somethinglike...


1. All relays were originally open.
2. "Oh my god why are we being blocked?"
3. Limit relays to only known-local IPs.

smtp auth has been around for a while but it is not the normal thing. Ithink as more and more users ask for it, more and more ISPs will configureappropriately.

It's all about what you want to do with mail from non-SPF places: I got
the impression from Meng's posts at the beginning that, in the long run,
mail from non-SPF-publishing domains should be bounced. THAT's what I
have a problem with.

A lot of people would see that as the "ultimate dream" but I think it'smore realistic to assume that SPF will grow and probably change a coupletimes before it gets to even 50% of internet servers, and I think that willbe years. At first I see it as being a small hit to the filter score,which along with several other factors might help detect spam. Eventuallysome sites will start to block on it (like universities and smallcompanies) but they will probably be seen as the fringe or at least thebleeding edge.

I have long said (in other forums where I occasionally speak up, and to my
friends) that I don't believe spam is a problem that can be solved through
technology. My fear is that, in the process of fighting spammers,
virus/worm authors, and other issues, computing and the Internet will
turn into a glorified TV set top box.

[...]

I happen to think that putting murderers in jail for a
very long time is a much better way to decrease homicide rates than to
make knives that can't stab people, and I think that an all-expenses-paid
vacation to Club Fed for 10 years for some key high-output spammers would
probably lead to a more drastic reduction in spam level than partial SPF
implementation.

That's getting into a philosophical side that is probably very contentious,and I'm not really ready to debate technical vs. legal solutions right now.Let me just give a sort of "cop out" answer and say: I don't really thinkthe ultimate answer to the spam problem will be entirely technical, orentirely legal/legislated. I think spam is such an enormously huge problemthat it will take dozens or even hundreds of solutions, some technical,some legal, some neither. (I am a big fan of "economic" solutions myselfbut that's pretty off-topic for this list :) There are a lot of reallygreat ideas, but no single idea is good enough to make all othersunnecessary. So, I think of SPF as being "necessary but not sufficient" tosolving the spam problem.


--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt

To unsubscribe, change your address, or temporarily deactivate your subscription,please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡