[ On Sunday, March 21, 2004 at 01:56:50 (+0100), Sven Geggus wrote: ]
> Subject: [Exim] Re: Fixing SPF Forward Problem by Reply-to: Hack?
>
> SPF may have its drawbacks, but the SPAM Problem without SPF is certainly
> worse than the forwarding problem we get when adopting SPF.
SPF cannot, and is not intended to, and will not ever, stop any spam.
It won't even begin to stop forged sender addresses from causing serious
problems. I have directly identified well over 3 million SMTP servers,
and there are probably actually twice as many in current production and
that number can only grow, which will not likely ever adopt SPF and all
of which are used daily in active attacks by way of bounces to forged
sender addresses (even if AOL and MSN and a few other large e-mail
providers refuse all e-mail from them because they've failed to adopt
SPF).
SPF is based _entirely_ on totally false assumptions.
The SMTP envelope sender address does not, and can not, authenticate the
sender (and most mail servers in production today don't even have any
way to enforce any policy on the sender addresses they accept and pass
on to other servers). The "sender address" _MUST_ be used _only_ as a
destination of non-delivery status reports, as specified in RFC 2821.
Any use for authentication is extremely misguided and very dangerous.
The AOLs of the world must not be allowed to shove this broken
technology upon anyone.
If you want authenticated e-mail then we already have PGP and S/MIME.
Pick one and USE IT!
- --
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <woods@???>
Planix, Inc. <woods@???> Secrets of the Weird <woods@???>
