SPF and spam (was: spam filters)

Paul Iadonisi pri.lugofnh at iadonisi.to
Wed May 19 13:25:01 EDT 2004


On Mon, 2004-05-17 at 23:56, bscott at ntisys.com wrote:
> On Sun, 16 May 2004, at 5:41pm, sconce at in-spec-inc.com wrote:
> > 2.  SPF.  This seems to be promoted as something we should really want -
> > tightening the loose SMTP rules which permit spammers to pretend to be
> > sending from arbitrary addresses (including yours).
> 
>   Background information (for the list): SPF = Sender Policy Framework.  
> Quite simply, it lets a domain owner publish information on which hosts(s)
> are allowed to send mail claiming to be from that domain.  For example,
> Yahoo can specify that only their mail servers can originate mail claiming
> to be from <@yahoo.com>.  Since most spam forges the "From" address, this
> helps.

[snip pros-and-cons of SPF]

  There is one other problem with SPF, albeit, not unsolvable.  And that
it is that it breaks forwarding.  The solution that has been proposed is
called Sender Rewriting Scheme (SRS) which has attracted a lot of
criticism for it's complexity and the chance that if it is implemented
incorrectly, you allegedly could become a (temporary) open relay.  I
believe it's a lot like VERP, as it need not be limited to only
rewriting forward SMTP envelope senders.  It can be implemented to
rewrite headers of ALL outgoing email.
  Also, from what I've been seeing on spam and MTA mailing lists and
newsgroups, some of the core developers of both sendmail and postfix are
adamantly opposed to SPF.  Wietse Venema will even kick you off the
postfix mailing list if you so much as bring it up.  I don't have full
details, so I'm not sure what his reasoning is (it might just be because
it's off-topic and generates long, flaming threads-of-hell...I don't
know).  Claus Aßmann (sendmail), has referred to SPF as 'breaking' SMTP.
  There seem to be a few diehards that don't want to change anything. 
At least on the SPF list itself, those who oppose the current specs are
trying to come up with better solutions.  Other than Claus and Wietse, I
don't know the names of many of the other FOSS MTAs, so I'm not sure,
but I get the impression that those developers are not participating in
the discussion about what to do to make SMTP more accountable.  It's
sad, really.  SMTP is, frankly, broken.  SPF+SRS is one attempt to try
and fix some of the problems. 
  To be clear, I'm a proponent of SPF+SRS (you'll notice a Received-SPF:
header in this email...that's broken, I need to disable it for outgoing
mail, somehow).  But as Ben indicated, it is only one weapon in the
arsenal in the battle against spam.  Spammers will adapt, but I do
believe that SPF+SRS will at least make them easier to spot.
--
-Paul Iadonisi
 Senior System Administrator
 Red Hat Certified Engineer / Local Linux Lobbyist
 Ever see a penguin fly?  --  Try Linux.
 GPL all the way: Sell services, don't lease secrets





More information about the gnhlug-discuss mailing list