On Sat, Jul 03, 2004 at 09:46:20AM -0500, David Phillips wrote: > Besides, it's irrelevant who wrote those pages. The information is correct. It was clearly biased, the author was telling us why we shouldn't be trying to use a fork to eat cereal, when nobody was trying to eat cereal to begin with. > If that's really true, then you are in a weird 0.001% category. Almost all > spam is sent using custom mailers designed for sending spam. Spam does not land in my mailbox, messages returned by qmail, misconfigured postfix, old IIS servers, and a few specialized setups due to an accept *, reject later policy means that I get a daily bombardment of rejects from remote hosts due to my address being spoofed in everything from 'XXXX STOCK IS ON THE RISE' to virus emails. SPF is not meant to be a spam killer, it's meant to reduce the effectiveness of third party relays (compromised windows boxes, open relays, etc), ie, forged email. Servers with SPF turned on would immediately recognize that poptix.net does not send mail from *.comcast.net, *.verizon.net, or any other large pool of infected windows machines. This stops _whatever_ is inbound immediately and saves me the headache. No, I won't be outright rejecting based on SPF, but it will be contributing (greatly) to the score spamassassin assigns to inbound messages. Where it would really help _me_ is on those qmail systems, although if they cannot be bothered to upgrade to a decent smtp server (or at least use third-party patches on their current one) they're not going to implement anything like SPF. Regarding some select bits of http://homepages.tesco.net/~J.deBoynePollard/FGA/smtp-spf-is-harmful.html: <quote>(numbers added) Some of the flaws in SPF The flaws in SPF are numerous and severalfold. 1) * SPF breaks pre-delivery forwarding. 2) * SPF hijacks existing DNS mechanisms. 3) * SPF gives ISPs a "lock-in" weapon against their customers. 4) * SPF is useless for several entire classes of people. 5) * SPF relies upon DNS for security, but DNS isn't a security service. 6) * SPF is vulnerable to race conditions during database changes. 7) * SPF creates new categories of third class citizenship. 8) * SPF doesn't actually address unsolicited bulk mail at all. 9) * SPF hands Verisign its next unwelcome "innovation" on a platter. </quote> 1) There is no reaosn for mail, once it leaves my mail server, to travel through any other servers that are not on the MX list for the destination domain. 2) Boohoo, I had to take the funny comment out of the IN TXT record for poptix.net 3) It doesn't, if you're using isp.com's email address, you should be using isp.com's mail server, this is what SMTP AUTH, pop before auth, etc. are for. 4) There are no cure-all solutions 5) DNS spoofing is a thing of the past, spammers registering domains to send mail from is handled by other mechanisms, and provides a more direct link back to the spammer. 6) Nobody said that changes would be instantaneous, if someone, somehow, breaks into your authorized mail server and starts spamming, you have bigger problems. 7) Rejecting mail from people who choose to relay mail through unauthorized servers is fine with me. If they cannot be bothered to the proper mail server they can assume the risk of having their mail rejected. 8) No kidding, that's not the explicit intention. Furthermore, the bulk of windows worms and viruses spewing out mail forge the mail as being from a different person -- exactly what SPF attempts to deal with. 9) Many things are vulnerable to verisign mucking around with the DNS infrastructure, would you reject HTTP/1.1 based on the fact that verisign can break it? The troll food is poisoned, eat all you like. -- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203 _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota Help beta test TCLUG's potential new home: http://plone.mn-linux.org Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list