1) SPF checking should NOT be done at SMTP time. It is less intrusive to
the entire installed base of email infrastructure to process an email
AFTER
it as been accepted. In this way, it can be processed along with other
spam-related checks. And,
2) The major argument for processing SPF at SMTP time has been bandwith
and
processing savings, which I believe are MINIMAL for non-ISP's.
Quite the opposite, I think it is irresponsible to accept mail for
delivery
and then quietly delete it instead. I want reliability of delivery to
become
a design goal once again, othewise email is doomed as a medium.
So I _always_ either (a) reject at SMTP time, or (b) send a bounce. I
would
rather not do a bounce unless SFP has 'passed', to avoid annoying innocent
victims of joe-jobs. Hence I perform all spam checks prior to acceptance.
This often means rejecting after the DATA has been transmitted, and since
some
sending MTA's do not deal with this correctly I employ temporary
blacklisting
in order to block their repeated re-delivery attempts. (reject afer MAIL
FROM
during the blacklist period, with a "sending host blacklisted, see <url>
to
unblock" error text).
Looking through my logs, I have noticed one unexpected consequence of this
-
spammers who receive rejections at SMTP time seem to be removing me from
their lists. I imagine this is because so many people fake or munge email
addresses that they need to cleanup their lists somehow.
Which leads me to the shocking conclusion that the spam problem may in
part be
exacerbated by MTA's which misleadingly _appear_ to accept mail. These
MTA's
are basically giving the false impression that the mail will be delivered,
hence encouraging spammers to continue sending more.
Wow. Sounds like you have a pretty good setup. It also sounds like you are
extremely competent and can take care of most of this yourself. I wish that
I could do the same! I kind of agree in that for any message deleted
automatically, the sender should be notified. I am looking for something
that will get SPF into my organization with the least amount of delay and
impact, though. If I could find a spam product that checked SPF on
delivered messages, I would be quite happy. I would ideally like to have a
setup like yours someday.
Have you given any thought to selling your service or operating it for
others?
Marc
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡