I'd like to request that if people continue thread about if SPF has any
future (the technology itself) they do it with new subject.
Please keep the the answers to "SPF Organization - Questions to ALL" post
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200410/0860.html
only to the questions provided and preferably with one of provided answers
so it could easily be summarized.
And please do keep answering it, so far we got only dozen people who
answered and there are reportedly several hundred people on this list,
so I'm hoping more of you can find time to answer at least the main
question (although I understand quite large number of people here
reporters and others who are just watching us out and not consider
themselves participants - but you can still answer this questinair
if you care what is to become of SPF).
On Sun, 24 Oct 2004, Richard Bang wrote:
Hi All,
SPF is pointless because everyone wants to stop spammers, a few people
want to stop phishing, and still fewer would like to end forgery.
However you organize in the future is a waste of time - SPF does
nothing to block spammers nor phishing ("From:" header forgery), so
other technologies that do block 'em will eradicate SPF in the near
term.
Effort is best spent leaving SPF and going someplace that solves the
problems everyone is looking to solve.
Kind Regards,
Chris Drake
I always love it when someone says "You cant do it, it will be obsolete so
don't try"
If everyone waited for a better solution to come along in the future,
nothing would never get created because we would all be waiting for someone
else to invent it.
SPF does work at what its supposed to do. It allows a server to validate
that the sending server is authorised to send mail for a given domain. It
does not attempts to say that the message is valid and from who it appears
to be from, any more that it says that the message is virus free.
How does this fight spam. Well, if all spammers have to use domains that
they have to buy, it puts their costs up and it allows us to blacklist them
and their servers using RBL's. It prevent viruses sending out infected
messages that appear to be from a different domain.
Authenticating a sender is a different matter entirely. I don't think its
appropriate for an MTA to be used to authenticate senders (beyond SMTP
AUTH). It means that once the authentication mechanism is adopted it will
become THE most attacked authentication system in the history of man because
if you find a way to break it you can make a HUGH some of money. If I want
to authenticate using PGP why should I be forced to buy a verisign
certificate so that some ISP relay somewhere wont reject my messages.
Banks should approach phishing with email the same way they do phishing by
phone (which still goes on), educate people that the bank will NEVER EVER
send an email asking you to log in and supplying a link to their site.
Technology can never be a crutch for stupidity.
Regard Richard.
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in Atlanta features
SPF and Sender ID.
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com