-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of
Rodolfo Sikora
Sent: Wednesday, August 18, 2004 9:43 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Some thoughts about spam and SPF
Well, I'm managing about 1.5 million email boxes right now, and I can
say SMTP AUTH does the job. If someone starts to spam, u can lock it
out.
And I have been blocking the whole comcast, ameritech, verison dsl
networks. 80% of my incoming spam is comming through these providers.
I guess that serious people uses smtp auth.
One small point, Verizon DSL uses SMTP Auth. I believe SMTP Auth is
necessary, but not sufficient.
I'm going to use SPF not to block email, but to whitelist emails so my
anti spam solution won't touch these "ham" email.
If my system detect a spam from a domain using SPF, this domain will
be blocked automatcly.
Sounds good in general, but one question:
I use (among others) Verizon DSL as an SMTP service. Since they use SMTP
Auth, I can use them even when I'm not connected through their network.
Because of the way SMTP Auth is set up for Verizon DSL, and Verizon DSL
customer can claim to be sending from any domain. As a result, to protect
myself from cross-customer forgery (which might result in you blacklisting
me), I have ?include:verizon.net in my SPF record.
Is that enough to get me whitelisted and delivered to a gmail account? The
spec says with a NEUTRAL result you "MUST proceed as if a domain did not
publish SPF data". Your default would, I guess, be to reject my message
since it came off of the Verizon SMTP server. Is that right? Is that what
you would want?
Scott Kitterman