>>> From: Marc Perkel [mailto:m...@perkel.com] Sent: Thursday, February
>>> 25, 2010 12:30 PM To: ram Cc: users@spamassassin.apache.org Subject:
>>> Re: Off Topic - SPF - What a Disaster
>>> ram wrote:
>>> On Tue, 2010-02-23 at 18:33 -0800, Marc Perkel wrote:
>> Jeff Koch wrote:
>>
>>
>> In an effort to reduce spam further we tried implementing SPF
>> enforcement. Within three days we turned it off. What we found was
>> that:
>>
>> - domain owners are allowing SPF records to be added to their zone
>> files without understanding the implications or that are just not
>> correct - domain owners and their employees regularly send email from
>> mailservers that violate their SPF. - our customers were unable to
>> receive email from important business contacts - our customers were
>> unable to understand why we would be enforcing a system that
>> prevented them from getting important email. - our customers couldn't
>> understand what SPF does. - our customers could not explain SPF to
>> their business contacts who would have had to contact their IT people
>> to correct the SPF records.
>>
>> Our assessment is that SPF is a good idea but pretty much unworkable
>> for an ISP/host without a major education program which we neither
>> have the time or money to do. Since we like our customers and they
>> pay the bills it is now a dead issue.
>>
>> Any other experiences? I love to hear.
>> Best Regards,
>> Jeff Koch, Intersessions
>>> I agree. I've been in the spam filtering business for many years and
>>> have yetto find any use for SPF at all. It's disturbing this useless
>>> technology is getting the false positive support we are seeing.
>>> Marc, This is just to repeat the cliche. SPF was not designed to help
>>> *you* in *spam filtering*. This was designed to help legitimate
>>> senders send mails.
>>> However as much as you, unreasonably , dislike it .. SPF adoption is
>>> on the rise.Two years ago most banks in India had no SPF records.
>>> Today almost every bank here publishes a SPF record. And that helps.
>>> For eg I use SPF checks to whitelist all local banks mail.
>>> Conversely, I have a custom rule that says if the header-from
>>> contains $popularbank.com and mail did not SPF pass add a score of
>>> 3.0. Phishers can use whatever envelope from they want. But if they
>>> put the banks domain in the header-from the mail will be caught as
>>> spam. I know there are ways to get around this rule too but in
>>> practical life this has been real effective against phishing.
>>> IMHO most of the anti-SPF bandwagon is more due ego issues than
>>> technical.
>>> The anti-SPF bandwagon is not ego driven but results driven. Than you
>>> for admitting that SPF in not a spam filtering solution. However it
>>> is also not a white listing solution because as many people have said
>>> here - spammers are the ones who are using SPF correctly. I can see
>>> some theoretical benefits that if you have a list of banks with SPF
>>> and you receive an email from an address that the bank lists then you
>>> can safely pass it. But I find that an easier way to do that is to
>>> use FCrDNS to do the same thing.
>>> On the down site SPF breaks email forwarding and it creates a false
>>> sense that people are doing something to fight spam or protect ham
>>> that is not supported by reality. SPF has received intellectual
>>> welfare because stuff that doesn't work tends to be culled out of
>>> spam assassin and other than backscatter most people here are telling
>>> the SPF supporters that it doesn't work. If SPF is becoming more
>>> popular it just means that more people are misled.
So then SRS Doesn't work for forwarding systems? I ask because I am
not a forwarding service and, as I only handle corporate mail
systems, do not give access to arbitrary forwarding to the mail
users so we do not have tons of (external) forwarding going on. Since SPF
and
SRS are like legs on the same body I will assume trying to walk with
one leg produces results similar to a forwarding service using SPF
without SRS. I personally would love comcast would list all of their
Valid outbound mail hosts and hard fail all others, same with aol, yahoo,
gmail, etc.
Seems to me if you are going to push email all over hell's half acre it
behooves you
To use any and all tools available to take responsibility for those mails
and SPF is
One of several tools that can do that, at least to some extent. If there
would have been
Some kind of total commitment to spam 10 years ago we would not be where we
are today and
Spamassassin (as it is) would not be quite so necessary.
(My apologies for the pathetic attempt at manually reformatting
the original html post)
>>> I am open to and interested in anything that actually works and not
>>> interested in anything that doesn't actually work. I'm hoping that
>>> actually works becomes the standard. I have had a lot of ideas myself
>>> that I thought would be great but after I tried it I found out that
>>> it didn't actually work. So I had to give up on that. I really think
>>> it's time that the SPF promoters either show something that works or
>>> give it up.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
