spf-discuss
[Top] [All Lists]

RE: Electronic Frontier Foundation (EFF) Article On Anti-Spam Technologies Mentions SPF

2004-11-19 12:28:39
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com 
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of Greg 
Connor
Sent: November 19, 2004 1:38 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] Electronic Frontier Foundation 
(EFF) Article On Anti-Spam Technologies Mentions SPF

What we should NOT do is give up on SPF and tell everybody 
"It's Hopeless". 
It sounds like that is what you are suggesting... or am I 
misunderstanding 
you?

Do you have an alternative idea, other than "SPF is 
fundamentally flawed 
and we should drop it"?  Something constructive perhaps?  If 
I read you 
right, you are complaining that everyone supporting SPF has 
dismissed your 
concern as unimportant.  Yet, ironically, you are doing 
exactly what you 
don't want others to do -- you are dismissing SPF itself as 
fundamentally 
flawed, and there's no help for it, and anyone supporting SPF is a 
crackpot/extremist.  It's actually kind of funny when you 
think about it.

I'm not saying SPF is hopeless as such, just that deployment should not be
done hurriedly, and that in the hands of someone clueless/greedy with a
captive audience (somebody who can't switch providers for whatever reason),
SPF could hurt people. It may be that I overstated the risks of that
happening in my earlier posts, yes, particularly if end users are flexible
enough. (e.g. if you're forced to receive email to blah(_at_)someisp(_dot_)net 
and
reply to them using another ISP, and someisp.net is publishing -all and
being greedy about providing SMTP AUTH, you could just set your MUAs to send
your replies from a newer, SPF-valid email and still receive mail sent to
the old address) I will admit too that perhaps I overestimated IT department
cluelessness, as I discovered in between my previous posts that apparently
one of several specific organizations I had in mind does provide a VPN
service now (though not the more elegant SMTP AUTH) for off-campus users.
And they aren't even publishing SPF... yet? 

Constructive solution? Well... I'm not sure. If I overestimated the boundary
conditions where SPF is a disaster, then maybe you people are right and SPF
will work nicely enough. Personally, what I'd like to see is some form of
technology that can match emails to specific three-dimensional people (some
extension of S/MIME or PGP signing, basically), but without massive
government bureaucracy, regulations, and so on, I'm not sure how workable
that is on a large scale (on a small scale, you can do it already,
obviously). Then everything that isn't matched is a forgery, no matter where
it was sent from. I must admit I know far too little about DomainKeys, but
it might be a step in that direction, except that it works based on domains
rather than end-users... 

Vivien


<Prev in Thread] Current Thread [Next in Thread>