spf-discuss
[Top] [All Lists]

Re: Security Paper on forgery bounce DDoS

2004-04-18 15:15:56
Søndag den 18. april 2004 23:33 skrev Seth Goodman:
mailer will likely be negligible for either SPF or SES.  Since you
don't mind splitting hairs, SPF requires SRS, which requires a hash
...

It seems that my reason to be here is a bit different than most other 
people here. I'm not here because I think that SPF will solve my spam 
problem right now, and I'm also not here because I want to help 
introducing a new technology which might become something later this 
year.

I'm here for one simple reason: I believe that SPF can do something 
for me, now. You like SES, because it does something for you now. 
Besides SES and SPF, I also use a Challenge-Response system named 
"Active Spam Killer" on some of my e-mail accounts, because it helps 
me fight spam now.

So what do those technologies do:
- Active Spam Killer: Removes most spam but annoys those sending 
something to me.
- SES: Removes spam hiding as bounces
- SPF: Increases the chance that my e-mails get through spamfilters 
and reduces the ability of other's to abuse my e-mail address for 
spam. Also, it enables my friends to whitelist my e-mail address, if 
they have an SPF based filter system.

Several times, I have experienced that people got spam, sent from an 
e-mail address that uses my domain name. With SPF, I can document, 
that this e-mail was not from me - before SPF, I couldn't. The 
recipient obviously doesn't have an SPF filter (then they wouldn't 
contact me about spam), but being able to document that it wasn't me 
means something.

Also, all my business contacts can whitelist my e-mails, if they have 
SPF based filtering. This ensures a very high degree of trust in the 
sender address. They may not trust other e-mail addresses, but they 
know that they can trust mine.

Now, how do I make my business contacts and friends use SPF based 
filtering? Well, SpamAssassin has it built-in in the next version. 
This is extremely significant to me, because most people and 
companies that I e-mail to very often, use spamassassin for 
spamfiltering.

What about SES? Frankly, I don't have a big problem with fake bounce 
messages - they typically get caught in my spamassassin filters. 
Also, SES is not a part of spamassassin, and will therefore not be as 
much deployed as SPF during 2004. One day the world might look 
different, but SES doesn't solve a problem in my world right now - 
SPF does.

I'm actually quite impressed by the work behind SPF. SPF is simple, 
easy to deploy (getting easier all the time), marketing has been 
excellent (spamassassin, aol, slashdot etc.) and the technology is 
robust. My guess is, that SPF will be used to put trust to e-mails 
from certain domain names in 2004, and in 2005 we will probably see 
effective blacklist systems for SPF-enabled domain names, and then I 
believe that spam is a non-issue at places where the e-mail admin 
knows how to set up things right.

Lars.

-- 

Mobil: 20331241
Evt.: 70201241
Fax.: 70201242