On Thursday 20 May 2004 19:27, Meng Weng Wong wrote:
However, The New SPF points out that the joe-job protection promised
by The Old SPF was largely illusory: to really get that protection,
the whole world had to become SPF compliant. Seth Goodman has been
saying this for a long time, and The New SPF agrees with him that if
you really want joe-job protection you need to get off your ass and do
SES. With SES, you don't care whether the rest of the world
cooperates or not.
Erm, but I'm really struggling to see exactly how SES protects me from
joe-jobbing without SPF.
If I get a fake bounce I can classify/bin it, fine, but it hasn't done
anything about the original libel of someone sending mail claiming it's from
me, and it hasn't helped the receivers (who receive the joe-jobbed spam)
determine that it wasn't really from me (c.f. someone telling the world I'm a
sheep scarer, but when the vigilantes come to visit I can pretend they're not
really kicking my teeth in).
With SPF, when I get bad bounces or abuse complaints or angry phone calls I
can tell the bouncer that they should be checking SPF records and then they
would know this mail is a forgery, but with SES I can't actually do anything
except bin the bounce (which I can easily do at the moment anyway).
I don't need to wait for the whole world to check SPF records, I just need to
wait for enough people to check SPF that the spammer decides to stop quoting
my domain name, and moves on to someone else who, in turn, will presumably
publish an SPF record themselves.
I can see how SES might help big ISPs who just want to manage mail for other
people, but for genuine domain owners SES doesn't seem to offer that much.
Unless I'm really missing some important details of SES, please don't think
that the SPF approach is less useful for all owners.
--
Tim