On Tue, 2004-12-07 at 12:00 -0500, Scott Kitterman wrote:
Except that CSV doesn't do anything for any mail identity that legitimately
uses my domain name. For ME, irrelevant. For MTA operators, I think it's a
good idea.
Your publication of an SPF record, in isolation, achieves nothing.
Without MTAs checking SPF, it's doesn't make any different. You're
making the information available but the only way it can be used in
practice is by an MTA (or with strong caveats in an MUA).
Consider it holistically and it doesn't really make any difference.
Also, since publishing my -all record, the number of bounces I receive due
to forged spam has dropped about 95%. I consider that a side benifit
(spamassassin was already dealing with them pretty nicely).
Only 95%? That's quite poor in comparison, and it's much higher than any
other estimates I've seen; so much so that I believe it's a guess, and
an inaccurate one at that. Or it's caused by other factors, like the
fact that recipients are slowly starting to get a clue and _reject_ mail
instead of accepting and bouncing it.
I know that on at least one occasion when I reported a user of some
fairly well-known virus-checking software to their ISP's abuse helpdesk
for sending me a 'warning' in response to a virus which is _known_ to
fake its sender, the vendor of the offending software claimed to have
changed the default behaviour of the next release of their software to
refrain from sending such 'warnings'. This was before SES, of course; I
don't accept such bounces these days.
The main
benifit to me is that if someone forges my name, I have a definite defense
to any accusations made against me as a result.
Why so? Because you _claim_ that you don't send mail from the IP address
from which the mail in question was sent? Can you _prove_ that? No more
so than if you were to make a habit of sending GPG-signed mail and
someone receives an offensive mail from you which is not signed.
--
dwmw2