SPF RRType

Brad Knowles brad at stop.mail-abuse.org
Fri Aug 12 08:33:57 UTC 2005 

At 8:39 PM -0400 2005-08-11, Barry Margolin wrote:

>  Isn't it the case that close to that percentage of *all* e-mail is spam?
>  So there's nothing really that special about e-mail from SPF-enabled
>  domains.

	I've seen estimates that anywhere from 50-90% of all e-mail is 
now spam.  I haven't seen those numbers myself, but the percentage is 
pretty high.

>  SPF clearly has been misunderstod as an anti-spam mechanism.  What it
>  *is* (when it's appliable) is an anti-forgery mechanism.

	Correct.  One key problem is that many people confuse these 
issues.  Another key problem is that you are reliant on others to 
properly implement their anti-forgery detection/elimination methods, 
in order for the mechanism to work.  In this case, many people 
implement the mechanisms incorrectly.


	Imagine if most "fake bill detectors" worked by comparing the 
image of the bill to an old one they had stored in memory.  Any new 
bill that they came across would be marked as a forgery, regardless 
of whether it was forged or not.  And most forged bills that looked 
like the old ones it has in memory would be marked as legitimate.

	The result would be a pretty bad "fake bill detector".  Well, SPF 
is a pretty bad anti-forgery mechanism.


	Any anti-spam or anti-forgery mechanism that you try to apply 
which requires correct implementation on the remote end in order to 
function properly, is doomed to failure -- Unless there is someway 
you can guarantee that all implementations will be correct.

	Ask the NANOG people about BCP38, and why virtually no one 
bothers to implement it, even after all these years.

>                                                            The type of
>  spam this would be most useful in protecting against is phishing scams,
>  since the phishers would be unable to forge @paypal.com and @ebay.com
>  addresses.

	Don't forget Joe-Jobs.  But again, that's only if the mechanism works.

>              However, if I understand how SPF is normally implemented, it
>  only checks the envelope sender, not the From: line in the header, which
>  is what users normally see and depend on.

	That's another problem, yes.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.

More information about the bind-users mailing list