[ On Sunday, April 25, 2004 at 19:59:43 (+0200), Andreas Steinmetz wrote: ]
> Subject: Re: [Exim] Is SPF for me?
>
> As long as you don't get constantly Joe Jobbed.
SPF cannot possibly ever stop backscatter.
There are _millions_ of legitimate production mail servers out there
_right_now_ and the vast majority of them will _never_ever_ implement
SPF checking, so they'll send you backscatter regardless of whether you
publish any SPF crap or not.
SPF is based on entirely false assumptions and its promoters continue to
use misconceptions surrounding it to mislead folks, and sometimes even
outright lie, about what it can do.
SPF also cannot stop spam/UCE/etc. and thankfully its promoters normally
avoid trying to suggest that it can, though unfortunately many people
are mistakenly lead into having the impression that it its about
reducing spam. There a tens of millions of domains that will never
publish SPF records in their DNS and thus no chance of ever using SPF to
force any of the shady spammers to use their own proper domain name on
the sender address of their UCE.
Even if a few large sites were to only accept mail from senders with
valid SPF records for their sender address domain the only effect would
be for most folks who need to send to such sites to publish wildcard SPF
records; and spammers would just continue to register throw-away domains
so that they could do the same.
SPF provides no usable form of authentication and thus cannot provide
any legitimate form of authorisation.
The SMTP envelope sender address is _nothing_ more than the address to
which notices about delivery failures should be sent to. It does not
securely identify the sender's domain any more than it securely
identifies the sender.
Also, for the case being discussed right now SPF cannot even be used to
control which SMTP clients may use the domain in a sender address since
for this particular domain there is no relationship between sender
address and sending server _by_definition_.
The only thing that'll reduce backscatter to a dull roar would be the
repair or re-configure the majority of MTAs that currently generate it
so that they would reject SMTP transactions for invalid recipients and
unwanted messages instead of having to generate bounces for it. I have
the IP addresses of well over 300,000 mailers that currently generate
backscatter every day and I can send them to you if you've got the time
and energy to chase them down and get them fixed. Sadly there are all
too many Exim mailers on that list for no good reasons at all.
Even if the software vendors of the majority of those over 300,000
broken MTAs (i.e. Micro$oft :-) were to implement SPF checking in future
releases of their MTA products the vendor(s) would never turn it on by
default and the majority of their users could not be convinced to turn
it on any more than they can be convinced to upgrade their software in
the first place. I'm normally an optimist by nature and these are
simple facts based on real life observations, not pessimistic
predictions.
--
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <woods@???>
Planix, Inc. <woods@???> Secrets of the Weird <woods@???>
