JamesDR wrote:
John Rudd wrote:
JamesDR wrote:
SPF already does this....
poorly.
We need something that actually works.
Would you care to elaborate on why SPF doesn't work for sender
verification? Its pretty simple, doesn't get much more simple that what
SPF does... If SPF doesn't work, nothing will.
I can see why it works quite well...
I receive a message from relay W.X.Y.Z.res.isp.net (where w.x.y.z is the
ip address of the relay).
I want to know if this message is coming from a legitimate SOHO type
mail server, or a spambot (the relevant discussion here being spambots).
I look at the sender mail domain: foo.com.
I look up the SPF record for foo.com. It says: +all
So, I get an SPF-PASS, yet this SPF-PASS has done _nothing_ to help
solve the problem. It has, if anything, made the problem MUCH more
difficult to solve.
This doesn't stop the bot nets,
Uh.. I think, given the subject line, you've just argued against your
own assertion in this discussion.
SPF doesn't prove hamyness, but can prove spamyness.
In my above example, SPF did nothing useful. And, my example shows
exactly why SPF does not help at all with the spambot problem. If I'm a
spambot wrangler, I create a group of throw-away domains, put in SPF
records for them that say +all, and then send out my storm of spam.
Then I abandon those domains, and create a new batch of them for the
next go-round.
IMO, SPF is a liability when fighting spambots.
