|FM||Oct 30, 2007 2:06 pm|
|Jeff Jansen||Oct 30, 2007 9:22 pm|
|cour...@thefreecat.org||Oct 31, 2007 4:05 am|
|gor...@bobich.net||Oct 31, 2007 4:32 am|
|cour...@thefreecat.org||Oct 31, 2007 5:11 am|
|gor...@bobich.net||Oct 31, 2007 5:57 am|
|João Vale||Oct 31, 2007 6:12 am|
|gor...@bobich.net||Oct 31, 2007 6:24 am|
|Arturo 'Buanzo' Busleiman||Oct 31, 2007 6:34 am|
|gor...@bobich.net||Oct 31, 2007 7:03 am|
|FM||Oct 31, 2007 7:24 am|
|gor...@bobich.net||Oct 31, 2007 7:35 am|
|Gordon Messmer||Nov 1, 2007 9:20 pm|
|gor...@bobich.net||Nov 2, 2007 9:43 am|
|Arturo 'Buanzo' Busleiman||Nov 2, 2007 9:50 am|
|gor...@bobich.net||Nov 2, 2007 10:10 am|
|Gordon Messmer||Nov 2, 2007 2:01 pm|
|Gordan Bobic||Nov 2, 2007 2:49 pm|
|Alessandro Vesely||Nov 3, 2007 2:44 pm|
|Gordon Messmer||Nov 3, 2007 5:59 pm|
|Jérôme Blion||Nov 3, 2007 6:16 pm|
|Gordan Bobic||Nov 4, 2007 1:19 am|
|Gordan Bobic||Nov 4, 2007 1:31 am|
|Arturo 'Buanzo' Busleiman||Nov 4, 2007 5:15 am|
|Arturo 'Buanzo' Busleiman||Nov 4, 2007 5:23 am|
|Gordon Messmer||Nov 4, 2007 4:32 pm|
|Jérôme Blion||Nov 4, 2007 4:52 pm|
|Alessandro Vesely||Nov 4, 2007 10:40 pm|
|Bernd Wurst||Nov 4, 2007 11:09 pm|
|Lisa Muir||Nov 4, 2007 11:51 pm|
|gor...@bobich.net||Nov 5, 2007 1:38 am|
|gor...@bobich.net||Nov 5, 2007 1:47 am|
|Lisa Muir||Nov 5, 2007 4:09 am|
|gor...@bobich.net||Nov 5, 2007 4:41 am|
|Lisa Muir||Nov 5, 2007 4:57 am|
|gor...@bobich.net||Nov 5, 2007 5:36 am|
|Harry Duncan||Nov 5, 2007 6:22 am|
|Alessandro Vesely||Nov 5, 2007 8:16 am|
|Alessandro Vesely||Nov 5, 2007 9:08 am|
|Bernd Wurst||Nov 5, 2007 12:44 pm|
|Alessandro Vesely||Nov 6, 2007 12:30 am|
|Subject:||Re: [courier-users] breaking smtp|
|Date:||Nov 5, 2007 4:41:23 am|
On Mon, 5 Nov 2007, Lisa Muir wrote:
I'm questioning the theoretical benefit of it as much as the current practical one. Until it starts being enforceable, it isn't really helping, and setting up SPF records in DNS achieves equally little if nobody is checking them and acting on them.
The theoretical benefit of implementing SPF without enforcing it is that we build a situation where we will in the future have something enforceable which will provide practical benefit.
That's about 2 theoretical levels removed from being useful at the moment.
And considering that bouncing one false positive is typically viewed much more dimly than accepting a hundred true negatives (we are certainly achieving better rates than that without SPF), it doesn't take many non-adopters to kill it off. Not to mention that a lot of perfectly reasonable setups are liable to be non-compliant almost by design.
If it is a standard that everyone else has adopted, then the non adopters will fall into line.
I'll believe it when I see it. Until then, it's just another piece of handwavingly hard-sold vapourware.
Its really simple, all my domains are corporate domains. I can check the logs very easily and determine which other corporates they email, or they can tell me, and if I quickly see that they all have adopted SPF, I'll know its safe to act on the info and any new corporate looking to mail my customers will have to implement SPF in order to do business with them.
That's one hell of a way to lose a lot of customers.
However, if all my customers contacts are sitting waiting to see what everyone else does before acting, then nobody will act without the introduction of an email governing body, which is what we'll end up with if we won't act without someone there to kick our ass and whip us into line so that they can take responsibility for killing the spam problems and charge us a tax for doing it.
You know, that's not all that far removed from just scrapping SMTP all together and putting something else in place. Not that that would be a bad thing, but I think the chances of it happening are similar.
Really, you have a simple thing to set up, set it up, it'll cost you nothing to do it and you'll enable an ungoverned sector solve its own issues and remain ungoverned. However, fail to act, and you will be supporting the introduction of a governing body who will in all probability implement the same solution and charge you taxes for enforcing it quoting the reduction in the cost to businesses as being a huge saving they've achieved.
You don't actually believe that, do you? The notion is about as plausible as bit-tax.
Bottom line is that it is simple and easy to setup SPF, costs virtually nothing, do it, and who knows, maybe no benefit will come from it at all, but not because you sat around talking about it instead of implementing it.
It's simple, but it's also not useful. I find the argument of "we embrace SPF but don't enforce it" hypocritical at best.
More to the point, there's nothing to stop spammers to: 1) Set up their own SPFs for domains they use for spamming. 2) Use existing methods to simply stay within the frame through source address forging. If the zombie is smart enough to relay through the smart host, it doesn't take much more to make it forge the sender address to the same domain as the user's whose machine it hijacked.
At that point we are back where we started. SPF won't help one bit, and implementing would have been a complete waste of time.
Having said all that, cometh that point, we really need to review the entire anti-spam process, because apart from content-based filtering, we are going to be running out of options pretty quickly.