On Mon, Dec 04, 2006 at 11:01:03AM -0500, Vince Lotito wrote:
Hi, I've been using SPF and following this community for a couple of
years. I applaud the work of the SPF community.
Then you will know that SPF does not combat spam itself.
Make sure people understand that SPF is about forgery (with or without
malicious intent). Forgery does not mean spam, nor vice versa.
I was contacted last week by a NJ State Assemblyman for my feedback on
an assembly bill title "The New Jersey SPAM Deterrence Act". In short
the bill was not that comprehensive, and after reading my suggestions
the Assemblyman has decide to redraft the bill.
The worst that can happen is to make spam legal. It has happened before,
and now spam is opt-out instead of opt-in. Of course, spammers don't care
that you don't want their spam. They may even remove you out of their
database of email addresses, but then they create ten copies of the address
and place it in ten different email address databases... sigh.
The second worst thing that can happen: unless people publish SPF records,
it is OK to forge their name. You really don't want this in that bill.
If you really want to make a contribution, let people (especially ISPs) *USE*
published SPF records. Publishers alone achieve nothing, the other side
needs to use such a record or else publishing it would be moot.
*if* an SPF policy is published, and if the verification results in something
other than PASS, the sender did not authorize the sending mail server. It should
be a crime to send auto-replies, out-of-office messages, delivery status
notifications and so on, as a result of such email. This is especially the
case for FAIL results. I'm sure others will comment on this, and we'll reach
consensus eventually. Here's a first attempt:
In case the sending hosts results in:
PASS: the host was authorized, it is OK to send replies
NEUTRAL: the host was NOT authorized but also not unauthorized.
we need to discuss what this means for autoreplies and such
SOFTFAIL: the host was NOT authorized and is very likely an unauthorized
host, but not entirely sure YET. Sending DSN is OK, sending
autoreplies and such is probably not.
FAIL: the host was UNauthorized, it is NOT ok to send anything
If an SPF policy is *not* published by a domain, this is not an invitation
to forge addresses. SPF is not to opt-out of forgery. It is a technical
means to enforce a policy, but without SPF this policy should also apply.
Thus: make sure forgery of email addresses (with or without malicious
intent) is a crime. SPF is then an aid to detect and fight such forgery.
*How* forgery is stopped is less important than *that* forgery is stopped.
Alex
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735