SPF RRType
Brad Knowles
brad at stop.mail-abuse.org
Fri Aug 12 08:33:57 UTC 2005
At 8:39 PM -0400 2005-08-11, Barry Margolin wrote:
> Isn't it the case that close to that percentage of *all* e-mail is spam?
> So there's nothing really that special about e-mail from SPF-enabled
> domains.
I've seen estimates that anywhere from 50-90% of all e-mail is
now spam. I haven't seen those numbers myself, but the percentage is
pretty high.
> SPF clearly has been misunderstod as an anti-spam mechanism. What it
> *is* (when it's appliable) is an anti-forgery mechanism.
Correct. One key problem is that many people confuse these
issues. Another key problem is that you are reliant on others to
properly implement their anti-forgery detection/elimination methods,
in order for the mechanism to work. In this case, many people
implement the mechanisms incorrectly.
Imagine if most "fake bill detectors" worked by comparing the
image of the bill to an old one they had stored in memory. Any new
bill that they came across would be marked as a forgery, regardless
of whether it was forged or not. And most forged bills that looked
like the old ones it has in memory would be marked as legitimate.
The result would be a pretty bad "fake bill detector". Well, SPF
is a pretty bad anti-forgery mechanism.
Any anti-spam or anti-forgery mechanism that you try to apply
which requires correct implementation on the remote end in order to
function properly, is doomed to failure -- Unless there is someway
you can guarantee that all implementations will be correct.
Ask the NANOG people about BCP38, and why virtually no one
bothers to implement it, even after all these years.
> The type of
> spam this would be most useful in protecting against is phishing scams,
> since the phishers would be unable to forge @paypal.com and @ebay.com
> addresses.
Don't forget Joe-Jobs. But again, that's only if the mechanism works.
> However, if I understand how SPF is normally implemented, it
> only checks the envelope sender, not the From: line in the header, which
> is what users normally see and depend on.
That's another problem, yes.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the bind-users
mailing list