spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: RE: AOL to ESPs: Comply with SPF, Or Else

2004-06-12 15:48:30
from [James Couzens] [Permanent Link] 
On Sat, 2004-06-12 at 15:11, spf(_at_)kitterman(_dot_)com wrote:


I think that Jonathan Gardner's point above:

"I think when most spammers publish SPF records, we will have won" is a key
point.  I thought the ending domain forgery was the purpose of SPF.  I want
SPF to get to the point where I can safely publish a -all for my domain.  I
want mail receivers (at whatever level) to respect that -all and not blame
me for what I didn't do.  I want to see an end to spam with my name on it.


I think if more people would stay in-line with this thinking we would be
a lot better off.  Unfortunately we are being infected by feature-creep
and although there is clear remedy its not an easy thing to fight.

As I stated in the lightning-talk I gave at cansecwest/core04 shortly
after Bob Beck's lightning-talk on OpenBSD's anti-spam efforts, "SPF is
not about anti-spam, its about anti-forgery". 


An end to spam would be nice, but SPF isn't going to do it alone.  I don't
really need SPF to stop spam at the user level (for me, SpamAssassin catches
about 99.9% of it without false positives).  What I need SPF for is a
reliable way to define the permitted sources of e-mail for my domain.


This is very true.  I am in the same boat as you, and this is the very
reason for why I joined this project in the first place.  I don't worry
though, people are out there publishing SPF1 records, more and more
every day.  Given the inherently lazy nature of most people, the effort
exerted to publish the volume that already exists, it is unlikely that
people would turn around and:

A) remove them

or

B) patch their mta further with an XML library and a bloated and
diseased SPF2 implementation.



All the other stuff about reputation services and black listing is good, but
lets not get the cart before the horse.  Getting SPF (and SRS or
whitelisting or whatever) deployed has got to be the initial focus.  I would
suggest that anti-forgery needs to remain the focus or we will end up trying
to be all things to end spam and SPF will get to complicated to deploy.

Anti-forgery first, then anti-spam.


EXACTLY.

Cheers,

James

-- 
James Couzens,
Programmer
-----------------------------------------------------------------
XML is WRONG, and here it doesn't BELONG.
Neither in SPF, nor inside of DNS,
its fat and its bloated and so I express:
JSON - "The FAT FREE alternative to XML"
http://www.crockford.com/JSON/xml.html
-----------------------------------------------------------------
http://libspf.org -- ANSI C Sender Policy Framework library
http://libsrs.org -- ANSI C Sender Rewriting Scheme library
-----------------------------------------------------------------
PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBD3BF855

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Send us money!  http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

Attachment: signature.asc
Description: This is a digitally signed message part

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: RE: AOL to ESPs: Comply with SPF, Or Else, spf
Next by Date:  Re: AOL to ESPs: Comply with SPF, Or Else, Lars B. Dybdahl
Previous by Thread:  RE: RE: AOL to ESPs: Comply with SPF, Or Else, spf
Next by Thread:  Re: AOL to ESPs: Comply with SPF, Or Else, Paul Iadonisi
Indexes:  [Date] [Thread] [Top] [All Lists]