William,
I've never been one to try to reduce one's enthusiasm. I say "Go West!"
However, I see SPF's future very limited. We have SPF1 implemented for what
now? Over 1 year in our software, and since April/04 released in our
production line. I don't see SPF2 in the future, certainly not in current
incarnation.
But more importantly, I need to see a most greater usage. Currently, SPF1 is
just one part of a total suite of AVS stuff. It represents nearly a 0.0%
amount of reasons for rejects. On a related note, 12% is captured via HELO
local domain spoofing, which was moved outside of SPF1 checking due to the
lack of cohesiveness in the specs in this regard.
In addition, a few more items to point out:
1) I have trouble with new specifications that attempt to "fix" or solve one
problem, but then opens a few more problems at the same time.
2) This direction of getting into a "committee" which will be mostly made up
of "administrative level" people, well, it will all be deja-vu again, never
seeing anything get done right with conflictive philosophies betweens admins
and developers.
3) This direction of moving SPF into a "product line" itself, well, runs
risk against about the true nature of the specification. You are just
trying to do too much and its not going to work too well, I am afraid. If
you want to see someone pull a support at a snap of a finger, go ahead and
complicate the spec with nonsense.
So I think whatever you do in "getting your act straight," you need to get
some of the basic issues in SPF1 resolved, clean up the specs and at most,
provide a support area, if required.
I see the "charter and future" for SPF very limited. If you think PRA is
part its future, then see 1, 2 and 3 above.
Other than that, I say "Go West!"
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
----- Original Message -----
From: "william(at)elan.net" <william(_at_)elan(_dot_)net>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Sunday, October 24, 2004 5:50 AM
Subject: RE: [spf-discuss] SPF Organization - Questions to ALL particpants
on the list on future of SPF Community
I'd like to request that if people continue thread about if SPF has any
future (the technology itself) they do it with new subject.
Please keep the the answers to "SPF Organization - Questions to ALL" post
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200410/0860.html
only to the questions provided and preferably with one of provided answers
so it could easily be summarized.
And please do keep answering it, so far we got only dozen people who
answered and there are reportedly several hundred people on this list,
so I'm hoping more of you can find time to answer at least the main
question (although I understand quite large number of people here
reporters and others who are just watching us out and not consider
themselves participants - but you can still answer this questinair
if you care what is to become of SPF).
On Sun, 24 Oct 2004, Richard Bang wrote:
Hi All,
SPF is pointless because everyone wants to stop spammers, a few people
want to stop phishing, and still fewer would like to end forgery.
However you organize in the future is a waste of time - SPF does
nothing to block spammers nor phishing ("From:" header forgery), so
other technologies that do block 'em will eradicate SPF in the near
term.
Effort is best spent leaving SPF and going someplace that solves the
problems everyone is looking to solve.
Kind Regards,
Chris Drake
I always love it when someone says "You cant do it, it will be obsolete
so
don't try"
If everyone waited for a better solution to come along in the future,
nothing would never get created because we would all be waiting for
someone
else to invent it.
SPF does work at what its supposed to do. It allows a server to validate
that the sending server is authorised to send mail for a given domain.
It
does not attempts to say that the message is valid and from who it
appears
to be from, any more that it says that the message is virus free.
How does this fight spam. Well, if all spammers have to use domains that
they have to buy, it puts their costs up and it allows us to blacklist
them
and their servers using RBL's. It prevent viruses sending out infected
messages that appear to be from a different domain.
Authenticating a sender is a different matter entirely. I don't think
its
appropriate for an MTA to be used to authenticate senders (beyond SMTP
AUTH). It means that once the authentication mechanism is adopted it
will
become THE most attacked authentication system in the history of man
because
if you find a way to break it you can make a HUGH some of money. If I
want
to authenticate using PGP why should I be forced to buy a verisign
certificate so that some ISP relay somewhere wont reject my messages.
Banks should approach phishing with email the same way they do phishing
by
phone (which still goes on), educate people that the bank will NEVER
EVER
send an email asking you to log in and supplying a link to their site.
Technology can never be a crutch for stupidity.
Regard Richard.
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in Atlanta
features SPF and Sender ID.
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in Atlanta
features SPF and Sender ID.
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com