Re: Lawsuits, angry business users, and SPF stupidity.
2004-01-13 08:03:54
Chris Drake wrote:
Take a look at mailblocks then - IMHO it's the best implementation
available for anti-spam. SPF isn't designed for spam blocking, so if
you're looking for an anti-spam SPF is not going to solve much.
First of all, let me say that I agree with you about the fact that SPF
is not a spam blocker. It is mostly an anti-email-forgery tool, which
is very useful., and is valuable in that it helps prove to you that the
person who sent the email to you (and wants your business) is using a
valid return address so you can contact them and conduct this business.
I just took a look at "Mailblocks" which appears to be a
Challenge/Response solution, just like the one I use for myself which is
called TMDA (http://www.tmda.net)
However, there is an inherent problem with Mailblocks and all C/R systems:
Consider the scenario where a spammer pretends to be me, and sends out a
few thousand emails with me as the supposed sender. He happens to send
one to you, using Mailblocks. Mailblocks replies to the spam, asking it
to validate itself, so I get the challenge. I didn't request this
challenge from you - this is spam because of your mail filter. This is
commonly referred to "Joe-jobbing". Some people get so angry when this
happens to them that they will blacklist you or your entire domain and
never send/receive emails/business from you ever again. I personally
think that's an unreasonable response to this harmless situation, but
SPF will have prevented this if I publish SPF domains and you respect
them, since that spam would have been dropped and not challenged, since
according to SPF it was definitely not a legitimate email.
The other main problem with C/R responses is that some people on the
internet consider it rude to challenge every incoming email. I'm not
going to start a debate about whether their indignation is justified,
because to them it is. If one of these people sends you an email, and
Mailblocks challenges it, they will not reply to a challenge, and you
will never get their email. Again, some people here get so angry they
blacklist your entire domain and never do any business with anyone there
ever.
I personally use SPF to mitigate this somewhat - if a sender is
guaranteed to be a legitimate sender (SPF passes them), I let them
through without challenge and let other anti-spam solutions pick up the
tab. If SPF proves that the address is forged, of course I do not
challenge the message, because I know the alleged sender will not be
expecting the challenge anyway. This reduces problem 1 above for people
whose domains have implemented SPF. If SPF doesn't know anything about
the email, I then challenge it - since I have no other way to know who
sent it and I want to ensure that it was a real person, and not spam
software.
Unfortunately, for technical reasons, I can't myself use mailblocks,
but everyone I know who uses it swears by it.
I really like TMDA too, but it's just one layer in my anti-spam
solution, and not the be-all / end-all. In fact, anyone who says "X is
the only thing you need to block spam" is wrong. I know that SPF isn't
the "grand unified spam solution", nor is SpamAssassin, or Blacklisting,
or Challenge/Response, or anything else. I use many of these tools
altogether to block unwanted email and preserve "good" email. I
consider SPF to be a valuable part of this, and it will soon be much
more effective as more people adopt it.
There's a few other things that are similar too - I forget the names
of them, though I've been asked to authenticate by them a few times.
TMDA is one. There are many others, some opensource, some pay-ware. I
heard a rumour that even Hotmail can do something like this now.
And of course - since it's user-to-user, nobody who isn't looking for
spam blocking gets affected (like all the users of an ISP for
example).
It's true that it is not usually implemented ISP-wide, but that is up to
the policy of the ISP. If they want to "help you" eliminate spam by
automatically challenging every incoming email, that is up to them. If
they want to block all spam with the word "mother-in-law" in the
subject, that is also up to them. It is up to you as a consumer to find
a better ISP if you don't like their policy on spam / email / bandwidth
usage / etc.
--
Jim Ramsay
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Lawsuits, angry business users, and SPF stupidity., (continued)
- Re: Lawsuits, angry business users, and SPF stupidity., Wechsler
- Re[2]: Lawsuits, angry business users, and SPF stupidity., Chris Drake
- Re: Lawsuits, angry business users, and SPF stupidity., Alex van den Bogaerdt
- Re[2]: Lawsuits, angry business users, and SPF stupidity., Chris Drake
- Re: Lawsuits, angry business users, and SPF stupidity., Dan Boresjo
- Re: Lawsuits, angry business users, and SPF stupidity., Alex van den Bogaerdt
- Re: Lawsuits, angry business users, and SPF stupidity., Phil Howard
- Re: Lawsuits, angry business users, and SPF stupidity., Graham Murray
- Re[2]: Lawsuits, angry business users, and SPF stupidity., Rik van Riel
- Re[3]: Lawsuits, angry business users, and SPF stupidity., Chris Drake
- Re: Lawsuits, angry business users, and SPF stupidity.,
Jim Ramsay <=
- Re: Lawsuits, angry business users, and SPF stupidity., Wechsler
- Re[2]: Lawsuits, angry business users, and SPF stupidity., Chris Drake
- Re: Re[2]: Lawsuits, angry business users, and SPF stupidity., Ask Bjørn Hansen
- Re: Re[2]: Lawsuits, angry business users, and SPF stupidity., Mark
- Re: Lawsuits, angry business users, and SPF stupidity., wayne
- Re: Lawsuits, angry business users, and SPF stupidity., Matt Perry
- Re: Lawsuits, angry business users, and SPF stupidity., Phil Howard
Re: Lawsuits, angry business users, and SPF stupidity., Alex van den Bogaerdt
|
|
|