-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greg Connor wrote:
| In reading Vernon's stuff, my thought is that *he thinks* SPF is selling
| itself as the ultimate solution to spam. It's not.
|
| However, someone made the point earlier that the site and the draft for
| SPF seem to imply the message that "This will help reduce spam".
| Perhaps that can be made clearer, like "This will help reduce spam in
| the long run, along with many other efforts."
|
| I think of SPF as being "necessary but not sufficient" to stopping spam.
| Before spam really reduces, it will probably have to be shifted around a
| lot. If SPF reduces costs for admins and shifts the costs of spam to
| others not yet using it, that provides incentive for those to use it too.
|
| Most people in the industry believe that several solutions will be
| needed to solve spam, not just one big solution. Perhaps the spf site
| could make some reference to this. Not a huge deal... I am just
| thinking aloud here about how to address those concerns that SPF is the
| FUSSP, the holy grail, when it clearly isn't, but is "worthy of
| pursuing" anyway, IMO.
|
| --
| Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
|
I read the discussion on /. as well and I agree with Greg.
SPF is merely "one small step forward" in making SMTP less prone to
abuse. It's not even that painful of a step (mostly voluntary, only
pressure is going to be through community peer pressure, and the
end-point admins have full control). But I do think a few of the
reverse-MX proposals have gone a touch overboard (or the audience is
projecting their desires onto content) in saying that reverse-MX systems
will kill off spam.
Unfortunately, they won't, but they do address some of the problems with
the current SMTP system. Problems that I, as a mail admin, am
interested in seeing solved. SPF does a good job of fixing the domain
forging problem that exists today and that's a pretty important first
step. It makes my job easier and keeps my company from being
tarred-n-feathered if we get joe-jobbed. Also makes whitelists /
blacklists and even bayesian filtering more reliable as side-effects of
having more trust over the source of the e-mail.
It does move the attack points around. Instead of being able to
domain-forge willy-nilly, an attacker has to either poison the DNS SPF
information or break-in and route their spam through one of the listed
IPs in order to pull off the joe-job.
The DNS attack is something I'm still green on, but it would give a bit
more push to proposals that attempt to add signatures to the DNS system.
~ (Signatures meaning that when machine X queries the DNS system, it can
be assured that the answer was not spoofed.)
The break-in and send e-mail through a proper SMTP server is handled the
same way as you would secure your server from being root-kit'd in the
first place. Not trivial, but not impossible. Plus, it leaves tracks
and traces, and the source of the break-in will probably be within the
local admin's area of responsibility (i.e. a machine that they can reach
out and touch physically).
Regular spammers will just setup their own domains (which raises costs
just one more inch) and place wide-open SPF (or no SPF) information in
the DNS. However, now that it's difficult to forge domains, a spammer's
domain becomes useless faster because whitelists / blacklists are more
reliable.
It's a good step forward and much preferable to today's environment
where joe-jobs are the norm.
- --
Thomas Harold
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQE/4nNRps5VuueP1QsRAk2vAKC1dsWorOC30lPSFoY4KO5puAuW2wCdEmUz
wqOZzWs0b+FpA1qSIhAY9wM=
=j9V5
-----END PGP SIGNATURE-----
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡