-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Greg
Connor
Sent: Friday, January 07, 2005 2:28 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] Should I include major ISPs in SPF for our
hosted domains?
The list of domains that are totally unprotected is vast, and spammers
don't seem to be affected by SPF really, yet. Some folks have reported
slightly less forgery of their domain name once they published SPF info,
but I don't think it's enough to celebrate over, yet.
Based on my qualitative assessment of the number of bounce reports I get,
it's been pretty dramatic. Over 90% reduction.
Hopefully if things go our way, spammers will start to avoid any domain
that publishes SPF records at all. That will be the first sign that we're
having an effect and starting to gain back some inches from the miles
already lost to the arms race. The spammers will still be winning, but by
forcing them to change behavior even a little bit, we will have started on
our thousand-mile journey.
There is a flip side to this people need to be careful of. Once an SPF pass
is a valuable commodity, then spammers will try to get it. It may be
coincidence, but we had what I think is a case of this a month or two ago
from one of the people who e-mail in to the pobox web site.
First she needed help getting her SPF records set up correctly so her site
could meet the AOL white list requirements. We worked through that and then
two days later, she e-mail back wanting to know why AOL claimed she was
sending them spam. I look at the header of one such message confirmed that
the message had in fact come from her server. It looked to me like once she
had SPF in place, a spammer looked at her site and found a PHP bug to
exploit.
Could be coincidence. Could be that SPF PASS is starting to count for
something in the spammer world.
If the first cause was "a small-but-dedicated group publishing SPF
records", and it has the desired effect of "changing spammer's behavior,
even slightly," then we can hope that the next link in the chain is "more
admins take notice of SPF". If SPF starts to become noticed *because*
spammers have changed their behavior, then there is a better
chance that it
will start to move under its own momentum.
In this vision of the future, "more admins take notice of SPF" leads to
"spammers must change tactics again". It is during this "second
wave" that
just merely picking a domain that doesn't have SPF on it won't work as
well, and they will be forced to use same-site forgeries to get their
messages through.
Anyway, my point is, this could be 6 months away, or it could be 2 years
away or more. Sooner or later, ISPs are going to start thinking, "Boy I
wish there were a clever way to use SMTP AUTH to catch forgeries. That is
when we need to be ready with sample code and how-to's that show ISPs what
they really need to do to keep up with "New Best Practices".
I think we're getting there now. I send most all (depends on how busy I am)
spam that makes it through my spam filters to Spamcop. Looking at the
claimed return path: in the message and where Spamcop thinks the message
originated, I'm actually starting to see a fair fraction where the return
path: is NOT forged. That wasn't happening before. Once again, I don't
keep statistics, so this is only a qualitative assessment, but it appears to
me that progress is being made.
Scott Kitterman