On Sun, Mar 21, 2004 at 07:19:24PM +0000, David Woodhouse wrote:
> Actually I don't care about that. If my address was faked as a sender
> address, and a bounce is created by one of these broken servers, then my
> machines reject it. Unless, that is, one of the time-limited,
> hash-signed addresses is used by the spammer as the reverse-path. Which
> is unlikely.
>
> But I don't claim that this is _useful_. I'm pointing out that my
> solution is at least as useful as SPF, and hence we don't need to accept
> the breakage of SPF -- whether we think SPF actually buys us anything or
> not.
When SpamAssassin first started to become popular, I remember hearing
similar prophecies about the end of the SMTP world.
"OH MY GOD! ALL MY MAIL COULD BOUNCE!"
Looks like we got over it.
SPF does FAR more than just verify the sender's address. It prevents
mail being accepted where the relay machine is not an authorized
outbound relay. *THIS* stops a significant amount of spam in itself.
Yes, probably only a matter of time before this is worked around through
some of the obvious ways, but I hope this will come after the critical
mass of administrators have adopted SPF. At that point, I will be
rejecting all mail whose env-from domain does not have an SPF record.
--
Avleen Vig
Systems Administrator
Doing virtual domain hosting with Exim?
Check out Virtual Exim: http://silverwraith.com/vexim
(Click the banner, support development..)