Spammers Skirt IP Authentication Attempts

• Previous message (by thread): Spammers Skirt IP Authentication Attempts
• Next message (by thread): Spammers Skirt IP Authentication Attempts
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> True, but bounces, and anything else with NULL return path, can be taken
> care of with SRS.

SRS is probably a higher pairwise deployment barrier than SPF.  but in any
case you should take this argument to the IETF MARID WG, since getting
agreement on nanog@ (assuming it's possible) won't stop the SPF steamroller.

> See:
> 
>  	http://www.libsrs2.org/
>  	http://www.libsrs2.org/srs/srs.pdf
>  	http://asarian-host.net/srs/sendmailsrs.htm
> 
> And be happy, and realise "SPF is worthless" ;)

SRS looks like a better technical solution than SPF, but it's less deployable.
for one thing, There Can Be Only One SRS-like thing.  there are already many
SPF-like things, each with its own adherent-base, and there will be many more.

> Is it really worth it for every domain owner on the planet (including
> spammers!) to implement SPF records in DNS, and the resulting forwarding
> breakage, simply to provide some fairly intangible "dilution protection"
> for, primarily, the very small subset of widely-known domains out there?

no.  it's the same kind of cost/benefit assymetry as spam, where everybody
has to pay a higher cost but only a few get a significant benefit from it.

however, beta was better than vhs, too.  and tully's is way Way better than
starbucks.  being better isn't as relevant as having better marketing.  with
microsoft backing SPF++ (is it "sender-id" now?), SPF will be widely deployed
and the costs and benefits be damned.

> > ...  i'm glad that companies bigger and richer than i am find it in
> > their own selfish best interests to push something like SPF -- that
> > means it'll happen.  ...
> 
> Well that depends. At the moment it looks like the clients will
> implement a standard that most of the servers will not!

i've begun to hear privacy related concerns, as well.  even with jim miller's
MAIL-FROM proposal, there's a way to look at the DNS query stream and find
out what servers are presently being spammed using your domain name as the
source.  this is an information leak but i'm willing to live with it.  many
MTA operators will not be willing to live with this.  (maybe some large ones.)

> > it's useful, just not for the advertised reasons, or a universal reason.
> 
> Ah, absolutely yes.

so, i'll take your "SPF is worthless!" statement under advisement.

• Previous message (by thread): Spammers Skirt IP Authentication Attempts
• Next message (by thread): Spammers Skirt IP Authentication Attempts
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]