spf-discuss
[Top] [All Lists]

SPF authenticates, it does not identify spam

2004-10-21 13:20:57
Hello,

In your interesting comments to the FTC Email Authentication Summit
(http://www.ftc.gov/os/comments/emailauthentication/512447-0043.pdf),
you say:

There is no reason spammers can t authenticate their servers. In
fact , they are already doing so , and this makes server
authentication useless as a means of identifying spam.

This is a complete misunderstanding about the purpose of SPF. SPF
*authenticates*. It just says "This email does come from eff.org". It
does not recognize or "identify" spam, like Bogofilter or SpamAssasin
do.

Think of an ID card. Criminals can get an ID card, too. Are ID cards
useless? No, but you have to know what to expect of them: they
authenticate, they do not vouch your honesty.

SPF may limit the spam, but as a side effect: once every email is
authenticated, domain-based whitelists will work (I cannot whitelist
eff.org at the present time, because it can easily be forged) and
spammers will be more "in the open", so it will be easier to track
them (it is already possible, with the current email headers, but SPF
will make it easier).

You also say:

Researchers from email service company CipherTrust write that "a
spam message is three times more likely to pass an SPF check than it
is to fail it.

But do not mention that your strange reference, CipherTrust, sells a
competing system and so is interested in bashing SPF. The complete
CipherTrust study is quite broken from the beginning and no one else
found the same figures.

Your other concerns about email authentication are too important to be
endangered by such a mistake about the way SPF works and by blindly
reusing such a dubious "study".


<Prev in Thread] Current Thread [Next in Thread>