...... Original Message .......
On Wed, 29 Jun 2005 16:00:02 -0700 David MacQuigg
<dmquigg-lists(_at_)yahoo(_dot_)com>
wrote:
At 02:46 PM 6/29/2005 -0400, Scott Kitterman wrote:
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of
David MacQuigg
Sent: Wednesday, June 29, 2005 2:38 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Border Appliances
Let's be careful not to over-sell SPF as anything more than a piece of
the
solution. Without a domain-rating system coupled in, the best you can
do
is PASS a few well-known domains that authenticate, and maybe FAIL an
even
smaller number where the record says -all. The vast majority will be
"unknown" domains, and whether they authenticate or not, might even
correlate the wrong way with probability of spam. i.e. spammers may be
*more* likely to authenticate their dime-a-dozen names if nobody is
checking reputation.
Your time on the CLEAR list is showing here.
Let's discuss only the issues at hand, and not question each others
motives. I'm not pushing CSV or their domain-rating system.
No, but you are parrotting their anti-SPF lines almost perfectly.
SPF is not anti-spam, it's anti-forgery. Stopping non-forged spam has
nothing to do with SPF.
Agree. I was reacting to Greg's "betting that spammers will start to avoid
SPF-protected domains". We were talking specifically about spammers. The
only thing I would change about your statement is I would say "Stopping
non-forged spam is not the purpose of SPF." "nothing to do" would rule
out
"enable".
SPF may enable certain things it has nothing to do with. For example, when
combined with SPF there are non-evil ways to do Challenge/Response
anti-spam systems. It doesn't mean that SPF has anything to do with C/R.
I can't speak for anyone else, but since I've published a -all record, the
number of bounce messages I've gotten due to forgery of my domain names
has
gone to essentially zero (about one per week rather than dozens/hundreds
per
day). SPF works to do what it was designed to do. Reputation has NOTHING
to do with it.
This is good news. It implies that spammers have notice your -all and are
not using your domain as a bounce address. Still, it seems like getting
rid of fake bounces is only getting rid of a minor annoyance. They can be
rejected by other means just as well.
What means would those be?
BTW, the point of that is as a limited direct measure of domain forgery. I
have broadband (unlike Frank) and a well trained Bayesian filter that
spared me most of them in my inbox.
If someone as a separate project is building domain based reputation
assessments, great, but it sounds like something SPF could enable, but not
part of SPF.
Agree. "Enable" will come automatically. I'm still hoping for
"collaborate with", or even just "facilitate".
Sure, just don't say SPF is useless without it (anyone know what happened
to GOSSIP?).
From an SPF perspective, as long as they don't forge MY domain names,
SPF
has done it's job.
"I'm betting that spammers will start to avoid SPF-protected domains."
isn't
hype - it's what has happened. Frank has reported similar results.
As I understand it, they are not using SPF-protected domain names in their
return paths, but they are still sending spam to those domains.
Sure, but the main reason I'm here is to protect my name. What's that got
to do with forgery? What you describe is the system working.
Let's be careful not to spread FUD here either.
I don't see what you are calling FUD. Please clarify.
Let's be careful not to over-sell SPF as anything more than a piece of
the
solution. Without a domain-rating system coupled in, the best you can
do
is PASS a few well-known domains that authenticate, and maybe FAIL an
even
smaller number where the record says -all. The vast majority will be
"unknown" domains, and whether they authenticate or not, might even
correlate the wrong way with probability of spam. i.e. spammers may be
*more* likely to authenticate their dime-a-dozen names if nobody is
checking reputation.
That amounts to SPF is useless without reputation. FUD.
Scott K