spf-discuss
[Top] [All Lists]

Re: AOL to ESPs: Comply with SPF, Or Else

2004-06-11 12:50:51
It would not be "silently dropping" if we have our mailservers reject
inbound emails before they even get sent. It won't take too many of
these:

2004-06-11 10:56:56 Reason: SPF: Please see
http://spf.pobox.com/why.html?sender=jegdmy%40email.ro&ip=69.136.160.146

until people light a fire under their service provider or IT department
to get it fixed immediately. The beauty of SPF is that you *can* get it
fixed in a matter of minutes. And if you can't figure it out, then you
really have no business sending me email.



On Fri, 2004-06-11 at 12:07, Paul Iadonisi wrote:
On Fri, 2004-06-11 at 12:59, Jonathan Gardner wrote:

[snip]

I am open to other suggestions. I would rather people had previous notice 
that their emails will be ignored rather than silently dropping millions of 
emails without giving due notice.

  "Silently dropping millions of emails without giving due notice" is
absolutely not what SPF is about.  This is about rejection before DATA
(at least, many of us hope it remains that way after the 'merger' dust
settles).  I consider, and I believe you will find many members of this
mailing list will agree, 'silently dropping' email a *really* bad
thing.  Rejecting or (if the PRA can be verified) bouncing are the only
alternatives that maintain any kind of confidence in email as a message
delivery system.  Filtering, or 'silently dropping' messages is
something that ONLY the end user should be doing.  We can tag and/or
deliver to specific user sub-mailboxes at the system level, but never
silently drop.  At least, IMNSHO.
  For email admins that are not paying attention to SPF and other sender
authentication schemes being discussed, frankly, they *should* be. 
Because messages won't (or shouldn't) be silently dropped, but bounced
or rejected, possibly with appropriate URLs in the DSN pointing them to
to the SPF home page (or equivalent), that's all the information they
need to take action.
  I find the idea of blasting an email to postmaster(_at_)* quite distasteful
and believe it would be hypocritical of us to do so, considering the
focus of this effort.
  Spam (including RFC2821/RFC2822 forgeries) is most definitely on every
email admin's radar on the planet, give its shear volume.  Sure there
will always be detractors, but I doubt we are going to find many people
competent in administering email systems that will be ignorant of
ongoing efforts to make spammers' lives harder.
  That said, I'm sure the articles in Linux Journal were a big help. 
More articles like that in other tech journals are a good thing to shoot
for.  There was also a significant boost in SPF publishing after the
Spam Conference at MIT in January.  More events like that where system
and email admins gather would be appropriate.  Those who have press
contacts should be keeping them up to date on flag days and such.  There
are a number of other avenues that can be taken, perhaps even including
a separate marketing fund that SPF could maybe take donations for?
--
-Paul Iadonisi
 Senior System Administrator
 Red Hat Certified Engineer / Local Linux Lobbyist
 Ever see a penguin fly?  --  Try Linux.
 GPL all the way: Sell services, don't lease secrets

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Send us money!  http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
--
Scott Taylor - <security(_at_)303underground(_dot_)com> 

Death wish, n.:
        The only wish that always comes true, whether or not one wishes it to.