Spam Admin wrote: >> http://www.infoworld.com/article/04/08/31/HNspammerstudy_1.html > >> Did you read the end of the article? SPF prevents forgery, not spam. >> It's still valuable even if spammers use it. > > Maybe I'm missing something obvious, but how does this differ > from maintaining valid forward and reverse DNS entries? > > Let's assume I want to forge an email as coming from > maila.microsoft.com. I create a Postfix system and give it > that name, but I'm - of course - using a non-MS IP address > (10.1.1.1, for argument's sake.) I try to connect to your > system, and you note the IP address. You go to my ISP's > reverse DNS records (which, not so coincidentally, happens to > be under my control as well) and verify that I have a PTR > correlating 10.1.1.1 to maila.microsoft.com. Then, you go to > the DNS records of microsoft.com (which I do NOT have access to > control) and see that according to Microsoft > mail1.microsoft.com is actually 131.107.3.125. You note the > discrepency and - BAM! - you reject my connection. > > So here's where I don't understand the point of SPF. With the > existing system it is impossible to fully forge my identity > as being maila.microsoft.com; thus, if we use the DNS system > as it was designed we can eliminate emails from forged SMTP > servers. Then, once that's in place, we can then easily > identify and blacklist those servers that are PROPERLY set up > with forward and reverse DNS records but still send out spam. > Without ANY additional designs or systems in place we've > eliminated virtually all intentionally forged emails and have > a flexible system that can rely on existing technology (e.g., > SURBL, Razor) to scale going forward. The only risks we're > left with are individuals using legitimate systems (AOL, > Earthlink) to spam, and those can be shut down easily by > their administrators (which is still a risk with SPF...) > > Like I said, maybe I just don't understand the proposed > system or I'm missing something obvious... GA
Where SPF differs from PTR records is that it lists in DNS only those servers allowed to send email on behalf of that domain. That is much more restrictive than reverse DNS lookups. Cheers, Phil ---- Phil Randal Network Engineer Herefordshire Council Hereford, UK
