On Fri, Jul 23, 2004 at 04:44:05PM -0700, Gilbert, Joseph wrote:
So, I have been dealing with spam filtering for some time now for my
organization. I became aware of SPF today and after looking it over a bit,
I have some concerns that, in practice, it will do little to deliver on what
it promises, make it easier to detect spam.
For me spf is not about spam. It is about stopping anyone from
pretending to be sending mail @mydomain.nl.
Until issues A and B are fully handled, SPF can not effectively work for any
site that has secondary, tertiary, etc mail servers set up for the domain.
Nothing prevents the spammers from writing an MTA that avoids sending spam
to the primary mail server for a domain. As stated above, spammers must be
assumed to be smart and able to find these holes.
I run spf with a secondary mx and have no problem with it. How? The
secondary does spf checks as well as all other checks my primary does, and
the primary trusts everything it receives from the secondary. Now the
only problem I see with this is that someone could be able to spoof the
ip of my secondary, but that's a risk i'm willing to take.
At this point, it seems to me that SPF, in its current incarnation, does not
have much hope of being effective in detecting spam. However, on the
surface, it looks enticing. Thus, you can imagine why Microsoft has
announced they will start checking SPF records on Oct 1. Unfortunately,
what that means to me and other domain admins who are paying attention is
that we will have to publish SPF records or risk having less of our users'
valid email making it through to recipients. So far, it seems that SPF has
delivered a higher cost to administering mail services with little benefit
being delivered.
If you don't publish SPF, your mail will simply be delivered as always.
Nowhere have I read anything that mail from domains that don't publish
spf will be rejected automatically. And even if a message has an spf
PASS result, it can still be spam. But if a message from
someone(_at_)metro(_dot_)cx has an SPF pass result, it certainly is from my
outgoing smtp server and therefore can only be spam if my outgoing smtp
server is compromised. Of course, I take precautions to minimize the
risk of my mta being compromised.
Btw, it has been said many times by several ppl on this list that 'spf
is not an anti-spam tool', but i agree that the pr seems to contradict
this. Forget the pr, pr is useless. Look at spf itself, i think it gives
a better picture of what it is and isn't.
Koen
--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Send us money! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
pgp05E04ypDaq.pgp
Description: PGP signature