spf-discuss
[Top] [All Lists]

Re: General Status of SPF

2004-02-28 08:28:22

On Feb 27, 2004, at 04:29, David Woodhouse wrote:
On Thu, 2004-02-26 at 16:39 -0600, Andrew W.Donoho wrote:
In my very small community mail service, I cannot imaginethat one of
my users would prefer that I protect the ability of anexternal to our
community user's ability to poorly use SPF and acceptjoe-jobbing as
the consequence.

The people out there forwarding their mail have been doing so for years.
They are not 'poorly using SPF'. They are using SMTP, and may have been
doing so for 20 years or more. They may not even have heard of SPF,
until valid mail starts bouncing.


David,


We are in a world that is exploiting flaws in SMTP. If you want to fix the flaws, something has to change. Just like in any town that grows into a city, new laws are required. That is happening to the internet. The town has become a global community in a flash. The service that forwarders have been exploiting for 20 years is also the service that SPAMmers exploit to dramatically reduce the value of an essential service, email. Choosing between the societal value of forwarding versus the harm of SPAM is not hard. As someone who advises law enforcement on internet issues, I have been exposed to some of the fraudulent scams that I, personally, have never received in email. (I'm not talking about kiddie porn here but scams that drain people's bank accounts and financially wreak lives. We are living in a big city indeed!) Laws have been written but law enforcement does not have the tools to enforce those laws. Putting in place protocols to enable systems that choose to discriminate against servers that will not legitimately advertise themselves is a foundation of a civil internet society. SMTP is weak in this area. To preserve a civil internet, we need some kind of tool to help sysadmins and users to discriminate legitimate versus illegitimate uses of the internet. Identity of services is a core need to perform that discrimination. SPF is a very weak form of identity. My efforts at examining the results of trying different anti-SPAM strategies on my small, free community email service lead me to believe that identity mechanisms like rDNS, envelope checking and HELO/EHLO checking are uncommonly effective. Here is some data from the week starting on February 16 for email blacklists on my server (and no snickering about the small number of SMTP transactions my small community of friends use):

Mail.DDG.com                    Average
relays.ordb.org                     11
hil.habeas.com                     241
sbl-xbl.spamhaus.org     3,298
bl.spamcop.net                   1,040
rDNS & Other Checks          6,528
Totals:                                 11,117

This is displayed in the order that the DNSBLs are checked. I find it instructive that the rDNS and other checks that occur after the other DNSBL checks still reject more email than the others combined. Therefore, this data leads me to believe that SPF and/or MS Caller-ID have an excellent chance of limiting SPAMmers. My rDNS checks have produced very few false positives. When they do produce an FP, a simple email exchange through my postmaster account solves the problem. The only people who have had problems fixing their rDNS (I only check for existence not match) have been vanity domains. Frankly, because I am a small server, I can whitelist these folks but I also have no qualms about denying them mail. Running a vanity domain is not, in my opinion, an excuse for poorly advertising a server. Either do it right or contract with someone who can. Forward and reverse DNS are a foundation of internet identity. If you cannot even do this, how likely are you able to run effectively the much more complex SMTP service? How likely are you to be able to close your open relay?

I guess we have to agree to disagree on the relative values of forwarders versus the value of constraining channels being abused by spammers. I agree with Bill Gates on this, SMTP will be changed in the next few years. I think it is likely that a scheme put together by this community and lead by a mainstream forwarding vendor (Meng from pobox.com) has the best chance of preserving needed forwarding services. To that end, I have put in place an SPF record with a -all trailer for DDG.com. I'll let this group know when I get the first SPF related forwarding failure. (Since I am small, I doubt that I will ever see one.)

Best Regards,
Andrew

____________________________________
Andrew W. Donoho
awd(_at_)DDG(_dot_)com, PGP Key ID: 0x81D0F250
+1 (512) 453-6652 (o), +1 (512) 750-7596 (m)



<Prev in Thread] Current Thread [Next in Thread>