spf-discuss
[Top] [All Lists]

RE: SPF Organization - Questions to ALL particpants on the list on future of SPF Community

2004-10-24 02:10:09

Hi All,

SPF is pointless because everyone wants to stop spammers, a few people
want to stop phishing, and still fewer would like to end forgery.

However you organize in the future is a waste of time - SPF does
nothing to block spammers nor phishing ("From:" header forgery), so
other technologies that do block 'em will eradicate SPF in the near
term. 

Effort is best spent leaving SPF and going someplace that solves the
problems everyone is looking to solve.

Kind Regards,
Chris Drake

I always love it when someone says "You cant do it, it will be obsolete so
don't try"

If everyone waited for a better solution to come along in the future,
nothing would never get created because we would all be waiting for someone
else to invent it.

SPF does work at what its supposed to do. It allows a server to validate
that the sending server is authorised to send mail for a given domain. It
does not attempts to say that the message is valid and from who it appears
to be from, any more that it says that the message is virus free.

How does this fight spam. Well, if all spammers have to use domains that
they have to buy, it puts their costs up and it allows us to blacklist them
and their servers using RBL's. It prevent viruses sending out infected
messages that appear to be from a different domain.

Authenticating a sender is a different matter entirely. I don't think its
appropriate for an MTA to be used to authenticate senders (beyond SMTP
AUTH). It means that once the authentication mechanism is adopted it will
become THE most attacked authentication system in the history of man because
if you find a way to break it you can make a HUGH some of money. If I want
to authenticate using PGP why should I be forced to buy a verisign
certificate so that some ISP relay somewhere wont reject my messages.

Banks should approach phishing with email the same way they do phishing by
phone (which still goes on), educate people that the bank will NEVER EVER
send an email asking you to log in and supplying a link to their site.

Technology can never be a crutch for stupidity.

Regard Richard.



<Prev in Thread] Current Thread [Next in Thread>