I read this article and thought that it said nothing substantial about
deficiencies in SPF, which I've never held to be an "antispam tool" per
say, but a domain validation tool. The problems identified were with
vulnerabilities in ISP practices, which is the ISP's problem, not SPF's.
The problem facing SPF in particular from my experience is the lag in
SRS deployment and development. I had one user tell me a few weeks ago,
in effect "until you deploy SRS on your mail forwarders, you're just
paying lip service to SPF and solving nothing".
I thanked him for his comments and explained that there has been no
viable implementation of SRS on our MTA (postfix) and there is no
serious development work happening for it. The last time I looked at SRS
(which I do every few months) there seemed to be some sort of infighting
going on between different libraries, different SRS domain names,
different camps, groups, etc and it didn't look very close to making any
headway. I went on to ask the commenter if he knew of any pointers
toward a solution in this field (SRS deployment under postfix) and have
never heard back.
From an outside supporter looking in, that's where things seem to
breakdown. We have a medium sized user base who is on average, ahead of
the curve technically, people who would embrace SPF fully if it just
would't totally break their forwarding. But there's nothing serious
happening on the SRS front to enable carrier grade deployment.
-mark
P.S. I am somewhat aware that the postfix developers aren't crazy about
SRS and thus, we don't see an SRS implementation coming out of the
postfix developers. But postfix designed in a way to make it extensible
by other developers. It can be done. I'd be happy to pay some developer
to create a stable, usable SRS implementation on postfix 2.x if that's
what it'll take to get it done.
P.P.S Can anybody post a link to Suresh's follow-up? I'd like to read it.
wayne wrote:
Well, Nick Fitzgerald told a bunch of people at a virus conference
that SPF can be easily broken by virus writers by having them no
longer forge email addresses.
See:
http://news.zdnet.co.uk/internet/security/0,39020375,39228023,00.htm
Suresh then posted a followup saying how bad SPF is...
--
Mark Jeftovic <mark(_at_)easydns(_dot_)com>
President & CEO, easyDNS Technologies Inc.
ph: +1-(416)-535-8672 ext 225
fx: +1-(866)-273-2892
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com