On Tue, Jan 27, 2004 at 08:15:05PM +0100, Fabian Wenk wrote: > Hello Peter > > Peter Baumann wrote: > > What do you think about this system here? > > http://spf.pobox.com/ > > It won't work. What if the spamer just registers a domain to only use > for spaming, an configures IP ranges (worst case 0.0.0.0/0) for spf > which he is using to relay his mails out in the DNS for this domain?
SPF is not meant to stop spam but is in fact meant to only authenticate who the sender is. Any domain registered just for spam will quickly find its reputation trashed and will end up in DNSBLs quickly. Spammers will be forced to keep buying domains to cycle through and then discard forever. DNSBLs will start going by the nameservers used instead of the domains themselves, and this will put pressure on the registrars to terminate customers who regularly buy domains through them and then use the domains only for spam. None of the above Good Things are possible whilst spammers can use any domain they choose in the email addresses they use. > This could also be only IP ranges of other ISPs on which he use machines > with an open proxy or else hacked/backdoored boxes. In this case the trojan will have to: - work out the correct domain to use for the box it has been installed on - check that domain's SPF records to see what IPs it can relay from - Try to find the mail relay within those IP ranges and then use it All of that is possible, and does happen today, but it still raises the bar by making it harder, and it still results in the ISP concerned seeing their own customers send the spam, which means that other antispam measures like rate-limiting customers, forcing all customers through own relays, etc. will be more effective. It seems like some people want a single magic silver bullet that ends spam. I'm sorry to say that those expectations are unreasonable. SPF does have limitations and problems but these that you have mentioned aren't the worst by far. For a real problem with SPF, think about how this will affect people who need to travel a lot and send email that has the domain of the company they work for. Also think about forwarding services where they receive mail for foo.org and must relay it on tonthe real email account of bar.org. Then read the SPF literature for how they suggest this is solved. ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
