Re: Spammers Skirt IP Authentication Attempts
True, but bounces, and anything else with NULL return path, can be taken care of with SRS.
SRS is probably a higher pairwise deployment barrier than SPF. but in any case you should take this argument to the IETF MARID WG, since getting agreement on nanog@ (assuming it's possible) won't stop the SPF steamroller.
See:
http://www.libsrs2.org/ http://www.libsrs2.org/srs/srs.pdf http://asarian-host.net/srs/sendmailsrs.htm
And be happy, and realise "SPF is worthless" ;)
SRS looks like a better technical solution than SPF, but it's less deployable. for one thing, There Can Be Only One SRS-like thing. there are already many SPF-like things, each with its own adherent-base, and there will be many more.
Is it really worth it for every domain owner on the planet (including spammers!) to implement SPF records in DNS, and the resulting forwarding breakage, simply to provide some fairly intangible "dilution protection" for, primarily, the very small subset of widely-known domains out there?
no. it's the same kind of cost/benefit assymetry as spam, where everybody has to pay a higher cost but only a few get a significant benefit from it. however, beta was better than vhs, too. and tully's is way Way better than starbucks. being better isn't as relevant as having better marketing. with microsoft backing SPF++ (is it "sender-id" now?), SPF will be widely deployed and the costs and benefits be damned.
... i'm glad that companies bigger and richer than i am find it in their own selfish best interests to push something like SPF -- that means it'll happen. ...
Well that depends. At the moment it looks like the clients will implement a standard that most of the servers will not!
i've begun to hear privacy related concerns, as well. even with jim miller's MAIL-FROM proposal, there's a way to look at the DNS query stream and find out what servers are presently being spammed using your domain name as the source. this is an information leak but i'm willing to live with it. many MTA operators will not be willing to live with this. (maybe some large ones.)
it's useful, just not for the advertised reasons, or a universal reason.
Ah, absolutely yes.
so, i'll take your "SPF is worthless!" statement under advisement.
participants (1)
-
Paul Vixie