Re: Re: [SPF Classic] Policy best practices should be kept out

Tony Finch wrote:

> On Thu, 7 Oct 2004, Frank Ellermann wrote:
>  
>
> > what do you think SPF does without a -all ?
> >    
> You can't use SPF to reject even with a -all, because it'll reject too
> much legitimate email.
>
> http://www.imc.org/ietf-mailsig/mail-archive/msg00286.html
>
> Tony.
>  
That's like saying you can't reject if reverse DNS is not set up.

Now.... yes... at first you cannot reject. But, given 4 to 6 months, I 
bet the likes of AOL, Earthlink and so on 'will' begin to reject mail 
that does not pass SPF... therefore the first projected dates of October 
1st to have records in place.. seems we all missed that one since we 
still don't know for sure what records to have in place.... and January 
1st for a 'go live' date... and as time passes along with no standard, I 
guess we'll be missing that one. (Thanks again Micro$oft!).
So, yes, at first you shouldn't reject on this basis, but, as the big 
guys make it a must, the rest of us small guys can follow. Then those 
spammers who are using SPF, will be more easily reported to blacklisting 
and it will be much easier to run a 'legitimate' blacklist.
The big providers have for the most part all agreed together to put into 
place Authentication, some sort of SPF and a monitoring system for their 
users. They are waiting on us for SPF!! I know Earthlink sent out a mail 
mailing informing all their clients that they would need to turn on smtp 
auth in their clients. And I bet (hope) the user monitoring systems are 
going into place to stop these compromised computers. So... where's the 
SPF already? If we keep screwing around with what it's going to be, that 
'group' may fall apart as well and then the liklihood of any 'standard' 
emerging is less. Nobody would like this more than M$, as they will do 
all they can to strongarm their system onto everyone else. If AOL, 
Comcast, Earthlink and Charter (who I've not heard anything from) will 
agree to SPF, that pretty much decides it.
I believe a standard will emerge and will be used for blocking just as 
rev DNS is used. How many of you out there got caught by AOL's 
implimentation of that system. I for one was thrilled when they did it 
because it caused 'almost' all of the mailservers out there to fix their 
DNS and I was then able to follow with the same system change and my 
logs suddenly showed 'lots' of bounced messages due to bad DNS. I'm of 
the opinion that if you don't run proper DNS, you don't belong on the 
net and SPF is just another step along the way where we all will need to 
make our entries and again run proper DNS.
So, am I missing something here? Why can't we reject based on no SPF 
record? Not at first, but once the bulk of the domains have SPF records.
And yes, I know it will not stop spam, but it will put an end to a lot 
of spamming methods. I bet 50% or more of the spam comes from 
compromised computers and the large providers seem to be taking a stance 
on that. And at least there will be a 'good' way to 'know' who sent the 
message in terms of a program looking at one string in a header, and 
allow for accurate blacklisting. Can someone please explain to me what 
I'm missing?
Meanwhile, as I typed this message, 347,866,539,101 spams were sent, 
wasting  48,314,797 man hours (5 seconds per spam) and untold processing 
power in dealing with this problem.