-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of Greg
Connor
Sent: December 17, 2003 1:25 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] Maybe simple question
I do think it will take a *long* time to get full adoption.
I will not put
large amounts of money on this but if I were to guess, I
would say it's
probably 5 years before anyone can seriously start blocking non-spf
domains. In the meantime, SPF might provide a boost to get
mail a higher
score on SpamAssassin and the like, and non-spf might
downgrade folks a
bit. But I don't think the effect will be at all noticeable
in a year,
possibly more. Which is why I am a passionate advocate of
"This will take
a *hell* of a long time, so we should get started *now*.
That kind of time frame may disturb others on this list, though... It's a
certainly a bit less ambitious than the original plans, but a lot more
reasonable, IMHO.
So, the cynical side of me thinks "IT will screw you over
with whatever is
at hand, whether it be SPF, MS Exchange, firewalls, staplers,
dry-erase
markers, cracked CD's from old NT service packs, whatever." :)
Sounds like my experience with most IT departments, too. :)
Free _tools_, yes... But what about the hardware it runs on? The
bandwidth it uses? The staff members' time to set it up? If
you're a
cash-starved .edu, those are important things.
I don't have a lot of data on this, granted. But here is one
data point...
I run my home network on a shoestring budget, which is why I
use Linux.
So, this weekend I sought to add SMTP AUTH to my own server.
Turns out the
software I needed was already installed (sendmail) and I just
had to alter
a config file or two to get SASL working.
You're a single person. In an IT department, you'd probably need to talk to
your manager, who'd need to ask their supervisor, etc. By the time all the
bureaucracy is done...
Yes I have actually worked with this ISP. (Ow my ass!)
But, they do offer new features from time to time, and they will
(eventually) move with the times, especially if their
competitors start
moving as well.
Yes, but these ISPs' procedures for determining new features are highly
questionable. They'll introduce what appeals to the AOL-type audience they
want, not things for their technologically-knowledgeable customers.
This is another thing that changes shape when you think of
"quickly means
3-6 months" vs. "quickly means 3-6 years"...
Agreed...
Also, what kind of SMTP servers do you use? MOST servers
out there, at
least the ones that I'm aware of, along with their admins
follow the
"send through the local SMTP server" part of the
"relay-for-your-local-IPs-only,
accept-for-your-local-recipients-only"
model.
I agree with you on this too... I think you described in an
earlier post
(or someone did) the process of locking down relays as being
something
like...
1. All relays were originally open.
2. "Oh my god why are we being blocked?"
3. Limit relays to only known-local IPs.
smtp auth has been around for a while but it is not the
normal thing. I
think as more and more users ask for it, more and more ISPs
will configure
appropriately.
SMTP AUTH had the problem of requiring new mail clients... The "allow all
relaying from local IPs" model just required changing your SMTP server name
if you were using a different IP block. The spam threat was just too big to
wait for SMTP AUTH to be widely deployable, hence they went with the
simplest model...
It's all about what you want to do with mail from non-SPF places: I
got the impression from Meng's posts at the beginning that, in the
long run, mail from non-SPF-publishing domains should be bounced.
THAT's what I have a problem with.
A lot of people would see that as the "ultimate dream" but I
think it's
more realistic to assume that SPF will grow and probably
change a couple
times before it gets to even 50% of internet servers, and I
think that will
be years. At first I see it as being a small hit to the
filter score,
which along with several other factors might help detect
spam. Eventually
some sites will start to block on it (like universities and small
companies) but they will probably be seen as the fringe or at
least the
bleeding edge.
So, if isp.net publishes SPF records, and you get an email tomorrow from a
source other than the ones listed in the SPF record with a from @isp.net,
you wouldn't bounce it, just lower its spamassassin score?
[snip the legal vs technical debate, because as you said, it's getting
rather offtopic]
Vivien
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡