spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Border Appliances

2005-06-29 12:31:16
from [johnp] [Permanent Link] 


Scott Kitterman wrote:

-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of David 
MacQuigg
Sent: Wednesday, June 29, 2005 2:38 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Border Appliances


At 10:27 PM 6/28/2005 -0700, Greg Connor wrote:



This raises a serious question - If many domains use these "appliance
boxes" as their border MTAs, how can we expect *any* IP


authentication


method to work?  Are we expecting these appliances to be replaced by
general-purpose MTAs?  I assume there is no chance of modifying their
proprietary software.


Probably true that it's difficult or impossible to add after-market, but
if enough of their customers ask for it...

In the early days of SPF, we can probably have a noticeable impact even
without getting 100% adoption in the field... I think we can have a
meaningful impact even at 10%.  All it takes is some of the big name
receivers -- maybe just a handful -- to start checking SPF and


I'm betting


that spammers will start to avoid SPF-protected domains.  May not reduce
overall spam at first, but if domain owners see a decrease in forgery
activity, that's something, at least.


Let's be careful not to over-sell SPF as anything more than a piece of the
solution.  Without a domain-rating system coupled in, the best you can do
is PASS a few well-known domains that authenticate, and maybe FAIL an even
smaller number where the record says -all.  The vast majority will be
"unknown" domains, and whether they authenticate or not, might even
correlate the wrong way with probability of spam. i.e. spammers may be
*more* likely to authenticate their dime-a-dozen names if nobody is
checking reputation.



Your time on the CLEAR list is showing here.

SPF is not anti-spam, it's anti-forgery.  Stopping non-forged spam has
nothing to do with SPF.

I can't speak for anyone else, but since I've published a -all record, the
number of bounce messages I've gotten due to forgery of my domain names has
gone to essentially zero (about one per week rather than dozens/hundreds per
day).  SPF works to do what it was designed to do.  Reputation has NOTHING
to do with it.

If someone as a separate project is building domain based reputation
assessments, great, but it sounds like something SPF could enable, but not
part of SPF.


From an SPF perspective, as long as they don't forge MY domain names, SPF

has done it's job.

"I'm betting that spammers will start to avoid SPF-protected domains." isn't
hype - it's what has happened.  Frank has reported similar results.

Let's be careful not to spread FUD here either.
I totally agree with this sentiment - there are too many people too quick to mis-represent SPF. Perhaps we should dedicate a whole page on the website to declaring what SPF actually is and does -- which has *nothing* to do with spam (that's a happy co-incidence) 

Slainte,

JohnP
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Border Appliances, Scott Kitterman
Next by Date:  SPF and Webmin, John Hinton
Previous by Thread:  RE: Border Appliances, Scott Kitterman
Next by Thread:  Re: Border Appliances, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]