spf-discuss
[Top] [All Lists]

Re: The New SPF: introducing RFROM

2004-05-21 13:30:24

On Thursday 20 May 2004 19:27, Meng Weng Wong wrote:
However, The New SPF points out that the joe-job protection promised
by The Old SPF was largely illusory: to really get that protection,
the whole world had to become SPF compliant.  Seth Goodman has been
saying this for a long time, and The New SPF agrees with him that if
you really want joe-job protection you need to get off your ass and do
SES.  With SES, you don't care whether the rest of the world
cooperates or not.

Erm, but I'm really struggling to see exactly how SES protects me from 
joe-jobbing without SPF.

If I get a fake bounce I can classify/bin it, fine, but it hasn't done 
anything about the original libel of someone sending mail claiming it's from 
me, and it hasn't helped the receivers (who receive the joe-jobbed spam) 
determine that it wasn't really from me (c.f. someone telling the world I'm a 
sheep scarer, but when the vigilantes come to visit I can pretend they're not 
really kicking my teeth in).

With SPF, when I get bad bounces or abuse complaints or angry phone calls I 
can tell the bouncer that they should be checking SPF records and then they 
would know this mail is a forgery, but with SES I can't actually do anything 
except bin the bounce (which I can easily do at the moment anyway).

I don't need to wait for the whole world to check SPF records, I just need to 
wait for enough people to check SPF that the spammer decides to stop quoting 
my domain name, and moves on to someone else who, in turn, will presumably 
publish an SPF record themselves.

I can see how SES might help big ISPs who just want to manage mail for other 
people, but for genuine domain owners SES doesn't seem to offer that much.

Unless I'm really missing some important details of SES, please don't think 
that the SPF approach is less useful for all owners.

--
Tim