On Sat, 2004-08-28 at 07:48, AccuSpam wrote:
Playing devils advocate here so we can resolve in draft stage...
Please correct me if I am mistaken, but it appears that SPF supports the
ability to set different rules on different subdomains (sub.domain.tld).
Yes. I use this facility myself. In fact the majority of SPF-publishing
domains should be using it, to allow separate rules for the main domain
and the names of the hosts within that domain.
e.g. the SPF record for example.com will allow mail from all legitimate
servers for example.com, but the SPF record for mail-server1.example.com
would specify only that single host (for HELO checking).
Thus the apparent intent implied by the syntax is that SPF declaration can
support subdomain reputations. But then what stops a spammer from creating
infinite subdomains to bypass reputation anti-forgery, analgous to how (a few
astute) spammers create infinite new variations of words to bypass Bayesian
anti-spam?
SPF and reputation services are separate things. People wanting to use
SPF as part of an anti-spam solution will need reputation services, and
the problem is for the reputation services to handle, it's not an
inherent problem with SPF.
I feel that reputation services will need to use some function of the
"spamminess" of subdomains to create a "spamminess" figure for a domain
itself. This system can work all the way up to the root ... where it
could be bad news for owners of .biz domains IMHO.
Paul.
--
Paul Howarth <paul(_at_)city-fan(_dot_)org>