Re: SPF (was: Re: PERSONAL xxxx - KTA)

To: Chris Wagner <wagnerc@plebeian.com>
Cc: debian-isp@lists.debian.org
Subject: Re: SPF (was: Re: PERSONAL xxxx - KTA)
From: Joe Emenaker <joe@emenaker.com>
Date: Mon, 02 Jul 2007 15:43:24 -0700
Message-id: <[🔎] 46897F8C.2010705@emenaker.com>
In-reply-to: <[🔎] 20070702121934.HDBK15819.gx6.fuse.net@attic>
References: <[🔎] 20070702121934.HDBK15819.gx6.fuse.net@attic>

Chris Wagner wrote:

At 07:54 AM 7/1/2007 +1000, Craig Sanders wrote:

you misunderstand what SPF is for.  SPF is *NOT* an anti-spam system. it
is an anti-forgery system. SPF's *SOLE* purpose is for a domain owner to
decide which hosts are allowed to send mail claiming to be from their
domain. nothing more, nothing less.

Tell that to all the people who incorporate SPF into their spam scoring
systems. :\

Well, you have to provide incentive for people to actually *implement* SPF.

Here's an analogy that might clear things up:

Suppose we had a problem with terrorists getting on airplanes and doingterroristy stuff. So, we start compiling a list of known terrorists(call it a realtime blacklist, or RBL). So, we start asking people theirname before we let them on the plane and checking it against the list.But then, we find that the terrorists are giving us fake names. So....we issue some ID cards (we'll call them "SPF" cards) so that it's harderfor them to get away with giving a fake name.

Now, notice how the ID cards' primary purpose is to increase theeffectiveness of the blacklists. Okay, fine. But... what do we do withthe people who say they don't have their ID or, for some reason oranother, don't provide it when asked? Well, if that doesn't countagainst them, then the terrorists would just show up and say "my dog ateit", and we'd let them on.

So, there has to be some penalty to not providing SPF. How *much* of apenalty is a dicey issue. If the penalty is *less* than the penalty for*providing* SPF *and* being on a blacklist, then the blacklisted domainswould be rewarded if they turned off their SPF. If the penalty is*higher* than the penalty for providing-yet-being-blacklisted, thenyou'd get legitimate users (who haven't implemented SPF) getting spamscores higher than people on RBLs....


So, it's a bit of a puzzle.

and forcing everyone to shift to it.... you are joking, right?

Well they did force us to get new TV sets. :D  And France has managed to ram
the metric system down the whole world's throats. :(

That's different. In those cases, the existing system really sucked andwas almost more trouble than it was worth. Oh, wait... :P


- Joe

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply to:

References:
- Re: SPF (was: Re: PERSONAL xxxx - KTA)
  - From: wagnerc@plebeian.com (Chris Wagner)

Prev by Date: Re: logcheck configuration?
Next by Date: Re: SPF (was: Re: PERSONAL xxxx - KTA)
Previous by thread: Re: SPF (was: Re: PERSONAL xxxx - KTA)
Next by thread: Re: SPF (was: Re: PERSONAL xxxx - KTA)
Index(es):
- Date
- Thread