[Hi Everybody!] On Sun, Jan 28, 2007 at 12:12:50AM -0500, Tanner Lovelace wrote: > > There are, however, two problems I see with [SMTP-Auth + something like SPF] > > 1. Forwarding domains.
Seconded. Every address I use is a forwarder, which made it really easy to move from Bellsouth to RR recently: just change the forwarders. SPF defines 'SRS' to rewrite the sender address to get around this problem, however every forwarder would have to do SRS for it to solve the problem. And it would not work with this Auth+SPF scheme: Is [EMAIL PROTECTED] really a forwarded message from a software giant with monopolistic tendancies, or is it a fake? Even if mx.spammer.example.com claims it received the 'forward' with proper auth? I can't think of any way to authenticate the "Mail From" address without either (1) breaking forwarding, (2) requiring all mail servers implement something, or (3) requiring sender verify callouts of some sort. And even if we did find some solution, it wouldn't "cripple spammers" for the same reasons I mention below. Also, to add to the list of problems with Auth+SPF as an anti-*spam* solution: 3. It does nothing about mail sent from spammer domains, or spammer accounts. 4. It does nothing about zombies who send using the compromised machine's credentials and smarthost, although it does give the smarthost a chance to see what's going on and more incentive to do something about it. -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
