Re: SPF adoptees

> If I define spam as commercial email then 90% of the spf pass are spam.
But what you're omitting or missing is that even if it is 90%, to at 
least a large extent it is spam from spammers *on whom you can draw a 
bead*.  If they are passing, and let's assume some error there so that 
it's not 90% - even if it's 75% - that is a large number of spammers 
who are now sitting ducks.
The irony in all this is that spammers having adopted SPF means it is 
*working* on one level, not that it has failed!  The purpose of SPF is 
to be able to tie a domain to a responsible IP address, and to be able 
to with some certainty identify forged domains when they don't match 
with the responsible IP address.
It's like walking into an urban jungle and being able to identify and 
distinguish the shoplifters from the armed  felons.
We give points in IADB for senders who publish SPF records because they 
are generally senders who are _trying_ to do the right thing, who will 
remove your address from their list if you click on their unsub link, 
etc..      They stay in one place, you can find them, and they are 
willing to stand up and say "we send from these domains, and here are 
the IP addresses which support these domains."  Sure, maybe they opted 
you in without your permission, and that's wrong, but they are _not_ in 
the same league as the forging, spoofing, zombifying people who are 
hawking herbal and marital supplements.
The brighter that line can be drawn, and SPF _does_ help draw that 
line, the more we can concentrate on the really bad guys, and *that*, 
my friends, is what is going to stop spam.  Being able to direct 
resources to the real root of the problem.
Anne

Anne P. Mitchell, Esq.
President/CEO
Institute for Spam and Internet Public Policy
Professor of Law, Lincoln Law School of SJ
Committee Member, Asilomar Microcomputer Workshop