SPF and spam (was: spam filters)

bscott at ntisys.com bscott at ntisys.com
Mon May 17 23:57:01 EDT 2004 

On Sun, 16 May 2004, at 5:41pm, sconce at in-spec-inc.com wrote:
> 2.  SPF.  This seems to be promoted as something we should really want -
> tightening the loose SMTP rules which permit spammers to pretend to be
> sending from arbitrary addresses (including yours).

  Background information (for the list): SPF = Sender Policy Framework.  
Quite simply, it lets a domain owner publish information on which hosts(s)
are allowed to send mail claiming to be from that domain.  For example,
Yahoo can specify that only their mail servers can originate mail claiming
to be from <@yahoo.com>.  Since most spam forges the "From" address, this
helps.

  SPF is a great idea.  However, it is important to understand what SPF will
do, and what it won't do.  In particular, it cannot stop spam.  At most, it
will make spam accountable.  And I rather doubt it will do even that much.

  The first problem is that, for SPF to be really effective at stopping
spam, everybody has to use it.  For everybody to use it, everybody will need
to have clue.  And if everybody had clue, we wouldn't have a spam problem in
the first place.

  The second problem is that, even if everybody starts using SPF, there is
nothing keeping spammers from registering throw-away domains by the
truckload.  In this world, people routinely get away with murder,
gun-running, drug smugging, etc.  I'm sure registering some domain names
with fake credentials will not be a problem.

  That being said, SPF will help fight the spam problem.  Specifically, it
will let operators create a subsection of the Internet where the worst of
the spam (which is also the bulk of the spam) is prevented.  If everybody
you want to receive mail from is using SPF, SPF will solve spam for you.

  Alas, many cannot exclude those who are not using SPF.  In particular,
businesses tend to want to receive mail from all their paying customers,
even the clueless ones.

  There is also the problem of legitimate businesses sending you spam to try
and get you to buy a legitimate product.  For example, you register your new
cordless screwdriver with Black & Decker, so now Black & Decker starts
sending you advertisements for more power tools.  This, however, is less of
a problem.  Legitimate businesses can be made to play by the rules.

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.              |

More information about the gnhlug-discuss mailing list