[NCLUG] spam help

Sean Reifschneider jafo at tummy.com
Sun Sep 10 01:47:04 MDT 2006


On Fri, Sep 08, 2006 at 05:17:51PM -0600, Jake Edge wrote:
>unfortunately, there are quite a number of technical problems with SPF 
>that render it largely useless, see, for instance:
>
>http://david.woodhou.se/why-not-spf.html

This link seems to be a few printed pages which say "It breaks forwarding".
It suggests Domain Keys or Cisco's equivalent as better alternatives.
However, these actually have, IMHO, WORSE problems than SPF:

   With SPF, I can allow our out-sourced accounting system to send e-mails
   from our domain by just finding out what IPs their mail server is on.
   With Domain Keys, I have to get them to either forward all mails
   claiming to be from us through our mail server, or get them to change
   their mail servers to use Domain Keys, and get them a key to use.
   Unlikely to happen anytime soon.

   Because there are two alternatives, it's unlikely for either of them to
   get significant uptake.  Apparently, they may be working on another
   standard, which is a combination of the two.



>http://bradknowles.typepad.com/considered_harmful/2004/05/spf.html

Brad makes a much better argument, not harping on the ANSI-standard
ANTI-SPF argument "breaks forwarding".  I think some of his premises are a
bit out of date.  For example, that most DNS servers are are vulnerable to
DNS poisoning, since closing down most of the recursive servers to only
local clients.

As far as "more spam is sent using SPF than legitimate mail".  Since like
95% of e-mail is spam, there are probably a lot of things spammers are
doing that are more prominent than legitimate mail.  However, I went
through last week looking at places that use SPF, and it was hard to find
places that don't.  AOL, for example, uses SPF, which means taht of the
legitimate e-mail sent, probably the majority uses SPF.

If Domain Keys starts getting uptake, I bet the spammers take it up as
well.

Brad Knowles seems to imply that SPF's only use with AOL is as a lock-in of
their users.  I think that kind of trivializes that fact that without SPF
I'd probably still have to be dealing with the fallout of 100,000 bounces
because some arsehole sends out e-mail claiming to be from yummy at tummy.com.

The point is that now they are using their own domains, instead of
hijacking domains of others.

A lot of these objections seem to come from people who don't use SPF.
I've been using SPF for several years, and it works.  I'm quite happy to
have a way to take control back for my domain.

I hoped to use Domain Keys instead of SPF, but Yahoo announced it WAY
before they had even completed a specification or sample implementation,
and eventually I just decided to stop waiting and use what was available.
That was SPF, and it works great.  It's light-weight, does not require
receiving the whole body of the message before returning the reject, and
I've had far fewer problems in practice with forwarding issues and the like
than I was expecting.

Sean
-- 
 If the code and the comments disagree, then both are probably wrong.
                 -- Norm Schryer
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability




More information about the NCLUG mailing list