The last time I read the specs, SPF recommends you accept email from someone
without an SPF record. Spammers don't need domains. They can find domains
without SPF records all day long. Examples:
archives.listbox.com.
www.inboxevent.com.
Took me about 2 minutes to find these!
The default behavior of SPF should be to assume -all for a domain without an
SPF record. Sure it will break things. Give 1 year before it takes effect.
Maybe auto-reply with a warning email that says "you don't have an SPF
record see pobox.org, you have until ??? to comply".
Guy
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of David
Woodhouse
Sent: Wednesday, September 15, 2004 5:57 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] SPF-compliant phishing?
On Wed, 2004-09-15 at 13:42 -0700, Jonathan Gardner wrote:
The benefit comes because of the MO of the spammers of today.
Because the spammer modus operandi never changes?
We already know how to find spammers who use their machines to send spam.
We
need to have a way to find spammers who abuse other's machines to send
spam. SPF provides a way to get directly to the party responsible.
You're clutching at straws. You can register domains without proof of
identity, and that's even assuming the spammers use a domain which they
registered for themselves, rather than some other domain which happens
to permit the machine which has been compromised.
--
dwmw2
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in Atlanta features
SPF and Sender ID.
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com