The results I've obtained with aggressively modified SPF have
been nothing short of amazing. Really unbelievable. Jaw
dropping. It's been at a perfect 100% (no joke, 100% without
any outside help) since my last significant tweak about three
days ago. Only about three or four messages out of the 477
blocked so far ever got through--and those would have been
stopped by the adjustments they subsequently inspired.
I've been baffled by the degree of success, but now I think I
figured out what's going on.
CAN-SPAM
This much derided law does actually make most spammer practices
illegal. You can get hit with serious fines and even tossed in
jail.
Spammers are many things, but stupid doesn't seem to be on that
list. They don't want to risk their necks (or more
realistically, the cost of paying a defense lawyer) if they can
avoid it. They could comply with the law, but that would
probably decimate their businesses. Since it's trivial to
obscure the origin of spam messages, it's only prudent that all
of them do it religiously. Thus MTA access control works
perfectly in the present, mostly non-SPF world.
Of course one can steal credit cards and buy throwaway domains
with them. However that's yet another crime--worse actually
than spamming. A quick glance at the law reveals that violating
CAN-SPAM in combination with any other offense is the thing that
triggers jail time. Up to five years.
This whole line of thinking has brought me a great sense of relief!
Spammers will eventually start going to throwaway domains using
stolen credit cards or cash transactions (thus putting the
complicit registrars at accreditation risk), but they won't do
it until they are truly desperate. It may be closer to a year
than to six months before this happens. Adoption of nominal SPF
will likely take till then to reach a point where spammers are
truly squeezed.