Re: Lawsuits, angry business users, and SPF stupidity.

Chris Drake wrote:

> Take a look at mailblocks then - IMHO it's the best implementation
> available for anti-spam.  SPF isn't designed for spam blocking, so if
> you're looking for an anti-spam SPF is not going to solve much.
>  
First of all, let me say that I agree with you about the fact that SPF 
is not a spam blocker.  It is mostly an anti-email-forgery tool, which 
is very useful., and is valuable in that it helps prove to you that the 
person who sent the email to you (and wants your business) is using a 
valid return address so you can contact them and conduct this business.
I just took a look at "Mailblocks" which appears to be a 
Challenge/Response solution, just like the one I use for myself which is 
called TMDA (http://www.tmda.net)
However, there is an inherent problem with Mailblocks and all C/R systems:

Consider the scenario where a spammer pretends to be me, and sends out a 
few thousand emails with me as the supposed sender.  He happens to send 
one to you, using Mailblocks.  Mailblocks replies to the spam, asking it 
to validate itself, so I get the challenge.  I didn't request this 
challenge from you - this is spam because of your mail filter.  This is 
commonly referred to "Joe-jobbing".  Some people get so angry when this 
happens to them that they will blacklist you or your entire domain and 
never send/receive emails/business from you ever again.  I personally 
think that's an unreasonable response to this harmless situation, but
SPF will have prevented this if I publish SPF domains and you respect 
them, since that spam would have been dropped and not challenged, since 
according to SPF it was definitely not a legitimate email.
The other main problem with C/R responses is that some people on the 
internet consider it rude to challenge every incoming email.  I'm not 
going to start a debate about whether their indignation is justified, 
because to them it is.  If one of these people sends you an email, and 
Mailblocks challenges it, they will not reply to a challenge, and you 
will never get their email.  Again, some people here get so angry they 
blacklist your entire domain and never do any business with anyone there 
ever.
I personally use SPF to mitigate this somewhat - if a sender is 
guaranteed to be a legitimate sender (SPF passes them), I let them 
through without challenge and let other anti-spam solutions pick up the 
tab.  If SPF proves that the address is forged, of course I do not 
challenge the message, because I know the alleged sender will not be 
expecting the challenge anyway.  This reduces problem 1 above for people 
whose domains have implemented SPF.  If SPF doesn't know anything about 
the email, I then challenge it - since I have no other way to know who 
sent it and I want to ensure that it was a real person, and not spam 
software.
> Unfortunately, for technical reasons, I can't myself use mailblocks,
> but everyone I know who uses it swears by it.
>  
I really like TMDA too, but it's just one layer in my anti-spam 
solution, and not the be-all / end-all.  In fact, anyone who says "X is 
the only thing you need to block spam" is wrong.  I know that SPF isn't 
the "grand unified spam solution", nor is SpamAssassin, or Blacklisting, 
or Challenge/Response, or anything else.  I use many of these tools 
altogether to block unwanted email and preserve "good" email.  I 
consider SPF to be a valuable part of this, and it will soon be much 
more effective as more people adopt it.
> There's a few other things that are similar too - I forget the names
> of them, though I've been asked to authenticate by them a few times.
>  
TMDA is one.  There are many others, some opensource, some pay-ware.  I 
heard a rumour that even Hotmail can do something like this now.
> And of course - since it's user-to-user, nobody who isn't looking for
> spam blocking gets affected (like all the users of an ISP for
> example).
It's true that it is not usually implemented ISP-wide, but that is up to 
the policy of the ISP.  If they want to "help you" eliminate spam by 
automatically challenging every incoming email, that is up to them.  If 
they want to block all spam with the word "mother-in-law" in the 
subject, that is also up to them.  It is up to you as a consumer to find 
a better ISP if you don't like their policy on spam / email / bandwidth 
usage / etc.
--
Jim Ramsay

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your subscription, 
please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡