| Jeff McAdams on 21 Mar 2004 19:30:03 -0000 |
|
Malcolm J Harwood wrote: > On Sunday 21 Mar 2004 12:59, Paul wrote: >>>It would be SPF: http://spf.pobox.com/ >> From what I've read so far SPF will only be effective if a high >>percentage of mail servers implement it. I know it's a start if, say, >>everyone one this lists implements SPF, but would that make much of a >>difference? What we it really take to make SPF effective? > Actually if aol, hotmail and yahoo implement the DNS side, that's 90% of the > spam I see (as forged addresses from those domains are the most common). It > wont have the same effect against virii and worms as those tend to be more > widespread domain-wise. > Given I heard some really obscene numbers for the amount of spam and worms the > large ISPs deal with every day, I would think they would be very inclined to > implement it. (I know AOL already ran one test, I don't know what happened > with it though). The problem with SPF is that it claims to prevent header "forging", but that's not really what its doing. It does prevent header forging, but it does considerably more than that as well, and the "considerably more" is where the problems show up. Part of the problem is defining "header forging". Clearly spam messages sent with a From: address of something at yahoo.com would be considered forged...but what about this email? The From: address on it is jeffm at iglou.com. But I'm currently using my laptop at my parents' house, through their cable modem connection. I'm sending this with my jeffm at iglou.com From: address because *I* am jeffm at iglou.com. But my laptop isn't on an iglou.com Internet connection at the moment. Now, in this case, its not all that big of a deal because IgLou has considerable clue and provides SMTP AUTH based relaying, so this email will bounce off of IgLou's servers. If IgLou didn't provide SMTP AUTH based mail relaying, however, and implemented strict SPF, then I would be unable to send email (assuming SPF were widely checked) with my jeffm at iglou.com address, even though it would be perfectly valid for me to do so. Given that I have recently had an exchange with someone who claims that SMTP AUTH based relaying capability is virtually unheard of for ISPs, and that IgLou is in the drastic minority because they do provide this (I don't know...it seems to me that not offering SMTP AUTH is rare, but I could certainly be wrong), it seems that strict SPF checking would then be quite problematic as I would have to use the SMTP server of my parents cable modem connection, and then the email would be rejected because its not coming from an SMTP server that's not in IgLou's SPF list. The idea of SPF is that using a From: address of a domain when the email isn't coming from a mail server that that domain administrator defines as valid, is "forgery." But, for ISPs, they will either have to offer SMTP AUTH relaying, not implement strict SPF, or make the decision that their customers will only be able to send email when they are connected to that ISPs connectivity (that's a slight oversimplification, but not much), that last will not be a commercially pleasant alternative for ISPs to swallow. Now, maybe its reasonable to say that SPF is a good idea, *if* used in conjunction with SMTP AUTH, to allow relaying to authenticated senders. But I can't say that SPF is a good system to implement as a blanket statement. Oh...and add to this that a number of ISPs are beginning to restrict outbound port 25 access, which also serves to make it harder for people to use SMTP AUTH'ed relaying to a "home" SMTP server (I know, the mail submission port, but that's not widely supported yet either), then you have yet another obstacle to considering SPF a reasonable solution to the problem. -- Jeff McAdams "He who laughs last, thinks slowest." -- anonymous Attachment:
signature.asc
|
|