On Wed, 2005-03-23 at 16:56 -0700, David MacQuigg wrote:
If the virus were named "MX-doom" instead of "SPF-doom" it wouldn't have
the same impact on public opinion. Nobody would believe it had anything to
do with MX. SPF has a particular vulnerability here. It may not be
technically correct. It may not be fair. But it is real, and we need to
recognize that it is real. If we cannot make the attack completely
implausible, even to a reporter looking for a story, then we need to at
least be ready with a quick fix, one that is so easy to install that lazy
admins all over the world will do that instead of abandoning SPF.
The "PR problem" that you originally outlined:
Now you have a very big PR problem, much bigger than any of the
technical problems we are talking about now. The problem is to
explain to the world what really happened, and why SPF isn't to
blame.
I'm all ears for solutions.
As far as someone making a planned social attack on SPF that few
listened to reason on, Microsoft did that, and is continuing to do it,
and we're still here -- even making progress, it seems.
As for "quick fixes", I can not come up with any that are less work than
disabling SPF all together. Say the quick fix is to change your SPF
record, most likely close to the absolute minimum amount of work there
could possibly be. This is exactly the same amount of work as removing
your SPF record or commenting out a line in your MTA's configuration.
In which case, if someone has negative information concerning SPF,
they'll just remove it.
--
Andy Bakun <spf(_at_)leave-it-to-grace(_dot_)com>