If we don't have a "flag day", then the delivery of email will be
unpredictable! This is not a good state to be in! And since there will be
no requirement to assume -all, then some people will just be lazy and the
spam will never stop.
Sure, some people will just block SPF NEUTRAL email, but that's my point!
They may be blocking real email. We need a predictable system!
Guy
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of
Jonathan Gardner
Sent: Thursday, September 16, 2004 3:46 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] SPF-compliant phishing?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday 15 September 2004 03:12 pm, Guy wrote:
The last time I read the specs, SPF recommends you accept email from
someone without an SPF record. Spammers don't need domains. They can
find domains without SPF records all day long. Examples:
archives.listbox.com.
www.inboxevent.com.
Took me about 2 minutes to find these!
The default behavior of SPF should be to assume -all for a domain without
an SPF record. Sure it will break things. Give 1 year before it takes
effect. Maybe auto-reply with a warning email that says "you don't have
an SPF record see pobox.org, you have until ??? to comply".
There's no need to have a flag day. People will do this naturally. Think of
all the email you receive. Classify it based on the SPF result of the
email. You basically will have three piles: SPF PASS, SPF
NEUTRAL/UNKNOWN/etc, and SPF FAIL.
We already know to throw out the SPF FAIL pile. We take the SPF PASS and
apply scrutiny to the name attached to it. What do we do with the SPF
NEUTRAL pile? We do what we've always done with email - filter it, abuse
it, etc...
Now, imagine all the "good" email from the SPF NEUTRAL pile that you get
everyday begins to disappear. As good senders get smarter, they will move
their mail into your SPF PASS pile, because their good name will help that
email get delivered faster and more accurately.
But compound that with the stupid spammers that are having their email come
in your SPF PASS pile. You are going to be able to identify them, and you
won't accept their email at all. (Oh, a message from AlwaysSpams.com? I
could check their SPF record, but since I know it will be spam anyway, I'll
refuse this message.) The only spammers that will survive are the spammers
who put their mail in your SPF NEUTRAL pile.
One day, you will be able to say that every piece of mail you get in the SPF
NEUTRAL pile is crap. Well, enough of it that you don't want to read it
anymore, at least. So you can just start refusing to accept that kind of
mail. It's your choice as a receiver whether or not to receive email.
There doesn't need to be a flag day. This day will come naturally. People
will make the decision based on their own needs and frustration. Already,
some individuals are refusing to accept SPF NEUTRAL mail.
- --
Jonathan M. Gardner
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFBSe1xBFeYcclU5Q0RAtatAKCsrJQLxU7f4ElMbJWYcqMwZaNBRQCfUCzG
IGQcSgUGDm3XcAkkBAbgaIY=
=4P+g
-----END PGP SIGNATURE-----
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in Atlanta features
SPF and Sender ID.
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com