LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for January 8, 2009

Btrfs aims for the mainline

The Android Dev Phone 1

LWN.net Weekly Edition for December 25, 2008

The Grumpy Editor's 2008 retrospective

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

That much trouble?

That much trouble?

Posted Sep 6, 2004 15:26 UTC (Mon) by khim (subscriber, #9252)
In reply to: That much trouble? by jamesh
Parent article: Debian rejects Sender ID

I do not ask you "is it forgery from SPF point of view". I ask you "is it forgery or not". I know what SPF does. It's just what SPF does is useless: it adds new hoops for "honest" people and adds very small protection against type of forgery used by spammers.

(Log in to post comments)

That much trouble?

Posted Sep 6, 2004 18:10 UTC (Mon) by marble (subscriber, #2719) [Link]

You wouldn't say that when you're treated to thousands of bounces, hatemails
etc, cos some spammer has decided to send email from your address. This
happens, SPF offers a solution. SpamAssassin already does a fairly decent
job of filing spam away in the bit bucket so with widespread adoption of
SPF, I'd be happy. (Yes, it has happened to me.)

That much trouble?

Posted Sep 6, 2004 19:42 UTC (Mon) by paulj (subscriber, #341) [Link]

But you can protect against bounces with outbound-envelope-cookie schemes like SRS. Further, with SRS, you protect *yourself*, you dont rely on other people to check SPF first before sending a bounce to you.

Unlike SPF, outbound-cookies dont break, the very common, use of SMTP forwards.

SPF! It "authenticates" (cough) mail from my domain, Yay for SPF!

/me uninstalls gnupg

That much trouble?

Posted Sep 6, 2004 20:30 UTC (Mon) by rdowner (subscriber, #3960) [Link]

A few months ago I was "joe-jobbed". A spammer, for several weeks, was sending out spams forged to appear from my domain. The invalid email addresses were, of course, bounced back to *me* -- several hundred *a day*. If those mails servers processing the received mail support SPF (and if I had an SPF record on my domain), I would not have bombarbed with the "shrapnel" -- the receiving mail servers would have realised that it wasn't me sending the e-mail and would not have even accepted them for delivery. This would have saved me the problem of suddenly getting hundreds of messages in a short period of time, desperately reconfiguring my mail setup trying to stem the flow of bounces, and inevitably losing some of my valid mail in the process

No, SPF will not solve the spam problem, cure all disease or bring about world peace. But it will solve *some* problems, such as the problem I've just described. There is money to be made in spam and there is no doubt that the professional spammers will find new ways to get the spam delivered. However, today, I believe there is value in SPF - it will stop a class of spam attack (assuming SPF is widely adopted). It doesn't add "hoops" for the vast majority of people, as ISPs will simply need to update their DNS records with info on their mail servers and their end users need take no action (it has been remarked that "mobile" users may have some issues but there are workable solutions to that too.)

regards,
Richard Downer

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds