Re: General Status of SPF
2004-02-28 08:28:22
On Feb 27, 2004, at 04:29, David Woodhouse wrote:
On Thu, 2004-02-26 at 16:39 -0600, Andrew W.Donoho wrote:
In my very small community mail service, I cannot imaginethat one of
my users would prefer that I protect the ability of anexternal to our
community user's ability to poorly use SPF and acceptjoe-jobbing as
the consequence.
The people out there forwarding their mail have been doing so for
years.
They are not 'poorly using SPF'. They are using SMTP, and may have been
doing so for 20 years or more. They may not even have heard of SPF,
until valid mail starts bouncing.
David,
We are in a world that is exploiting flaws in SMTP. If you want to fix
the flaws, something has to change. Just like in any town that grows
into a city, new laws are required. That is happening to the internet.
The town has become a global community in a flash. The service that
forwarders have been exploiting for 20 years is also the service that
SPAMmers exploit to dramatically reduce the value of an essential
service, email. Choosing between the societal value of forwarding
versus the harm of SPAM is not hard. As someone who advises law
enforcement on internet issues, I have been exposed to some of the
fraudulent scams that I, personally, have never received in email. (I'm
not talking about kiddie porn here but scams that drain people's bank
accounts and financially wreak lives. We are living in a big city
indeed!) Laws have been written but law enforcement does not have the
tools to enforce those laws. Putting in place protocols to enable
systems that choose to discriminate against servers that will not
legitimately advertise themselves is a foundation of a civil internet
society. SMTP is weak in this area. To preserve a civil internet, we
need some kind of tool to help sysadmins and users to discriminate
legitimate versus illegitimate uses of the internet. Identity of
services is a core need to perform that discrimination. SPF is a very
weak form of identity. My efforts at examining the results of trying
different anti-SPAM strategies on my small, free community email
service lead me to believe that identity mechanisms like rDNS, envelope
checking and HELO/EHLO checking are uncommonly effective. Here is some
data from the week starting on February 16 for email blacklists on my
server (and no snickering about the small number of SMTP transactions
my small community of friends use):
Mail.DDG.com Average
relays.ordb.org 11
hil.habeas.com 241
sbl-xbl.spamhaus.org 3,298
bl.spamcop.net 1,040
rDNS & Other Checks 6,528
Totals: 11,117
This is displayed in the order that the DNSBLs are checked. I find it
instructive that the rDNS and other checks that occur after the other
DNSBL checks still reject more email than the others combined.
Therefore, this data leads me to believe that SPF and/or MS Caller-ID
have an excellent chance of limiting SPAMmers. My rDNS checks have
produced very few false positives. When they do produce an FP, a simple
email exchange through my postmaster account solves the problem. The
only people who have had problems fixing their rDNS (I only check for
existence not match) have been vanity domains. Frankly, because I am a
small server, I can whitelist these folks but I also have no qualms
about denying them mail. Running a vanity domain is not, in my opinion,
an excuse for poorly advertising a server. Either do it right or
contract with someone who can. Forward and reverse DNS are a foundation
of internet identity. If you cannot even do this, how likely are you
able to run effectively the much more complex SMTP service? How likely
are you to be able to close your open relay?
I guess we have to agree to disagree on the relative values of
forwarders versus the value of constraining channels being abused by
spammers. I agree with Bill Gates on this, SMTP will be changed in the
next few years. I think it is likely that a scheme put together by this
community and lead by a mainstream forwarding vendor (Meng from
pobox.com) has the best chance of preserving needed forwarding
services. To that end, I have put in place an SPF record with a -all
trailer for DDG.com. I'll let this group know when I get the first SPF
related forwarding failure. (Since I am small, I doubt that I will ever
see one.)
Best Regards,
Andrew
____________________________________
Andrew W. Donoho
awd(_at_)DDG(_dot_)com, PGP Key ID: 0x81D0F250
+1 (512) 453-6652 (o), +1 (512) 750-7596 (m)
|
|