spf-discuss
[Top] [All Lists]

Re: SPF and Responsibility

2004-07-20 02:45:23
Jonathan Gardner wrote:
I'd like to summarize the arguments about SPF and responsibility.

My core argument is that by publishing SPF records, you assume responsibility for email sent with and SPF PASS result for your domain.

Others argue that the internet isn't securable, that people are stupid, and so they can't be held responsible. I say these are irrelevant.

I have a few questions for them. This should expose exactly where they believe responsibility starts and stops.

Hypothetical question: There are two companies, let's say neverspams.com and sometimesspams.com. Both companies send a large amount of email. Both publish SPF records.

In ten years of operation, NeverSpams never ever sends a single spam or viruses with email that has SPF PASS. That's literally billions of emails with SPF PASS, and exactly 0 spam or viruses. All are legitimate, solicited email.

In ten years of operation, SometimesSpams occasionally sends spam or viruses with email that has SPF PASS. The total number of spam or viruses sent with SPF PASS among the total amount of email sent with SPF PASS is less than 1%, but still some. That's literally billions of pieces of mail sent with SPF PASS, with only tens of millions of spams sent with SPF PASS.

Would you accept NeverSpams email with SPF PASS without further checks?

Would you accept SometimesSpams email with SPF PASS without further checks?

Would your opinion of SometimesSpams change if SometimesSpams blamed its problems on incompetent staff, lack of funding, geographical location, or bad ISP? What if SometimesSpams is constantly being attacked and compromised?

Would your opinion change if SometimesSpams was ignorant and unresponsive? IE, they get attacked, but they don't recognize it, or they won't do anything about it for weeks, or they ignore complaints about their compromised servers.

Would your opinion change if SometimesSpams sent 10% spam? 50%? 99%? 100%?

Final Question:

Who is ultimately responsible for NeverSpams' and SometimesSpams's email reputation (with email that has SPF PASS)?

My answers to your questions would be exactly the same if you completely removed all mentions of SPF. Mail from SometimesSpams would not be welcome at my server.

Now the SPF pass results would be strong evidence that I would use to convince myself that SometimesSpams were in fact responsible for the spam sent in their name, just like links back to/embedded images from their website in the spam emails would be be strong evidence.

The point you originally made that I (still) take issue with is:

  "When an email is sent using the domain name of an SPF publisher, you
   can compare the server sending the mail and the published sending policy
   of the sender. If it doesn't match, then the message is obviously forged
   and can be discarded. If it does match, then the owner of the domain has
   said that email coming from that server is email coming from him. He has
   claimed responsibility."

Publishing an SPF record from a domain indicates where mail from that domain may legitimately originate. That is the purpose of SPF. That is *not* the same as saying that *any* mail from that source using that domain is legitimate and that the sending domain is claiming responsibility for it. SPF is not equivalent to a DNA test for spammers. It is more akin to a witness line-up. It is evidence, but not strong enough to merit a conviction unless corroborated.

Remember that the original thread was entitled "SPF is not usable as legal measure against spammers." The standard of proof required in a legal case is considerably higher than one would apply to one's mail server filters I'd expect.

Paul.






<Prev in Thread] Current Thread [Next in Thread>