On Sat, 2005-02-05 at 09:39 -0800, J.D. Falk wrote:
On 02/04/05, Douglas Otis <dotis@mail-abuse.org> wrote:
SPF does nothing, and could actually damage the reputation of those domains that authorize the provider for their mailbox domain using SPF. These records can be read by the spammers and then exploited. Repairing this reputation could be next to impossible.
You touch on some basic realities here:
1. spam coming out of your network will affect your reputation.
2. spam coming out of your own mail machines will affect your reputation even more immediately.
Neither are affected by any of the domain authentication schemes currently in play (SPF, SenderID, DomainKeys, etc.) The spam itself may include forgeries, but that's a different issue.
SPF and Sender ID do not indicate who administers the machine. It is important to understand that SPF and Sender-ID entities are completely unrelated to server administration or ownership. Authentication, and not just authorization, is required to prevent forgeries. Yahoo's DomainKeys or Cisco's IIM could be enhanced to include a unique account identifier, perhaps directly derived from the access server, which would enable a means to directly confront this threat. DK or IIM makes it clear who is administering the server and this authentication permits reputation assessment. Add an account identifier, and the problem is nailed. Reputation is required to abate spam. SPF and Sender-ID CAN NOT support reputation because they REALLY CAN NOT prevent forgeries. There isn't even a consensus which entity should be checked with these schemes. -Doug