Kurt Andersen wrote:
Presumably the actual number is significantly higher as the
number of domains checking/enforcing SPF records is still
limited.
Unfortunately I can't really judge it, my "FAIL-test" data is
limited to what I saw when "my" spammer forged addreses at my
vanity host for two weeks this year (after 6 months last year).
*Apparently* I got less bogus bounces this year, but probably
that's a side-effect of SC's new reporting policy (last year it
wasn't allowed to report backscatter as spam).
*Obviously* "my" spammer had eough after two weeks this year,
that could be a side-effect of burning his zombies faster when
s/h/it forges FAIL-protected addresses.
Last but not least there are systems using SPF FAIL after SMTP
with e.g. SpamAssassin scoring - in other words they check but
don't really "enforce" SPF. On a single user system that can
be good enough, if this user white-listed his 251-forwarders.
I'd prefer "reject" (= enforce), I don't trust that receivers
get "post-SMTP SPF-scoring" right. From a spammer's POV it's
irrelevant, if he forges SPF-FAIL-protected addresses it won't
arrive on SPF-checking systems, both "enforcing" and "scoring".
Bye, Frank
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com