LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

SPF on vger

SPF on vger

Posted Jun 15, 2006 14:04 UTC (Thu) by pizza (subscriber, #46)
In reply to: SPF on vger by job
Parent article: SPF on vger

First, don't use the term 'spam', as it's so ambiguious ("unwanted e-mail") as to have no real meaning. Please use a more specific term; you want to deal with trojans or phishing mails differently than the latest Victoria's Secret catalog.

Oddly enough, the former two tend to rely heavily on forged SMTP envelopes, which is precisely what SPF is intended to deal with, and it accomplishes that fairly well. Does it break certian practices? Well, yes. But what its detractors fail to understand is that this is a trade-off that many, many willingly make, especially when it is their reputation and/or money on the line.

Don't forget that these problems exist because of the deficencies of the original SMTP (and yes, DNS) systems.

"Requiring most of the world to participate" is actually a feature of the Internet -- the network is dumb; the end-points are smart. But it also makes change very hard to implement.

As such, the disruption from replacing the whole schebang will be far greater, even though everyone agrees that it's what really needs to be done. And that will certianly break many things that work now.

Incidentally, is there an "official" use for TXT records? "Arbitrary Binary Data up to 255 characters" sounds like there isn't, and a domain owner choosing to use that "arbitrary data" for purposes of reducing forged mail being sent under their domain certianly sounds like an appropriate use.

Using DNS TXT records is a cool idea because it doesn't require any new infrastructure, unlike, for example, using PGP signatures, which works well on an individual basis but otherwise scales terribly due to the necessity of establishing trust anonymously.

(Log in to post comments)

SPAM == Unsolicited bulk email. It's simple

Posted Jun 15, 2006 14:26 UTC (Thu) by dwheeler (guest, #1216) [Link]

I completely disagree. Spam has a simple and clear meaning: "Unsolicited bulk email"; it's sometimes called "UBE" instead. "Bulk" perhaps is a little ambiguous, but if you're sending out more than 1000 copies of an email, and the receivers didn't request it (e.g., by joining a mailing list), you are a spammer sending spam.

Some spam has trojans, or other nasty stuff. It's a good idea to protect against other kinds of malicious email. But usually the malicious email is ALSO spam. If we could get rid of spam, we'd greatly reduce any other kind of problem as well on email.

SPF on vger

Posted Jun 22, 2006 15:54 UTC (Thu) by forthy (guest, #1525) [Link]

I agree that SPF is not a good idea, but I support it (not just lip service), for two purposes:

  • it gets me rid of all those "security updates from Microsoft" before my virus checker gets to see them (since microsoft.com has a SPF record).
  • it adds up to the pain for using SMTP that it might help to overthrow it - especially when it is adopted.

I view SPF not as a solution to a specific problem, but as a nail on the coffin of SMTP, and I'm ready to adopt the next nail if I can find one.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds