On Wed, 2005-05-18 at 16:08 +0200, Andre Oppermann wrote: > Juerg Reimann wrote: > > > > To whom it may concern... > > > > I've run a little test whether Swiss ISPs use SPF or not and it turned out > > that very few have actually implemented it (actually, I found not a single > > one). Is there a reason for that? It's a very simple implementation and it > > could prevent a lot of damage like the most recent one after Sober.Q. > > SPF is broken by design.
URL/ref/explaination/fulltext/elaborate? It indeed does not stop spam, it does (partially) stop faking your source email domain, which could partially stop virus spreads, but that would require that a large (>75%) of the global is using it. No check somewhere -> does not work. I personally would like to see every SMTP box checking that mails are signed per PGP, but that implies other problems too I guess... deployment is the first thing and that other thing called PKI seems to be a long long way on the road to oblivion too. > > I would suggest ISPs should implement SPF quickly and talk to their > > customers about it. (See http://spf.pobox.com/ for further information.) > > How about you start with your domain and your users first and then > report back how it went and what problems you encountered? Lead us > the way! Well, there is a SPFv1 record on his domain: jworld.ch TXT "v=spf1 ip4:66.150.163.128/26 ip4:82.195.224.240 ~all" But that ends in a ~all, thus basically the last Sober.Q runs (I assume he means that german propaganda crap of the last couple of days) would not have been 'stopped' because of the above. The "~all" would simply mean a softfail, thus the box will accept it, though maybe some spamcheck engine might choose to add some points to the spamscore because of it. The point why I don't have SPF stuff on my domains is simple: IPv6 is not supported well enough, read: it is defined ambiguously and most likely the few boxes that have SPF checking installed won't understand the ip6 directive, thus when sending mail from a domain with the ip6 directive and -all, mail is most likely to end up in nothingness, which is not what one wants, and ~all is simply not adequate. If the above concern would be gone, which will take quite some time, I might add it, as it would save getting my addy used to spam a large number of the ISP's who do check it. Getting those bounces is just a bit annoying even if they end up in the spam folder. Greets, Jeroen
signature.asc
Description: This is a digitally signed message part
_______________________________________________ swinog mailing list [email protected] http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
