Date: Mon, 06 Sep 2004 13:42:22 -0600
From: Jawaid Bazyar
1) Domains spammers own will quickly become blacklisted.
Spammers will be forced to purchase register tons of
domains in order to continue spamming. However their
Or use SPF-less domains.
2) Pressure will quickly mount on domains that don't
facilitate authentication, with the effect snowballing
over time. This will ensure system-wide adoption of close
to 100% fairly quickly.
There's a spark of optimism buried deep inside me that really
wants to believe that. SAV has made me more cynical. :-/
There's something else you're not granting here, however.
Once the domains that are commonly used for forged headers
get "protected" with an authentication mechanism, I as a
system administrator no longer have to spend excessive time
and effort trying to distinguish between spam with that
domain name and legitimate email with that domain name.
Agreed entirely; IIRC, I think I said something similar a few
weeks back. SPF is a useful data point -- we use ~19 RBLs as
data inputs, and no one can authoritatively nail email as spam.
Even if "SPF pass" is totally useless, I'd be surprised if "SPF
fail" didn't indicate a high probability of spam.
Instead of lookups on numerous RBLs and numerous other CPU
and network-intensive checks, I can simply trust email from
aol.com, msn.com, hotmail.com, yahoo.com - and these comprise
enough of my email load that I will get an instant resource
utilization benefit from knowing that email from @yahoo.com
is really from @yahoo.com and short-circuiting all the spam
checks I usually do.
Very good point. No disagreement here. However, I didn't like
the article's overgeneralized "News flash! whitelisting all 'SPF
pass' entries will let spam by!" attitude. Anyone whitelisting
mail that has a valid SPF entry is nuts.
Thus even if authentication should never become 100% and even
if it doesn't stop spam, I still get a net benefit.
Definitely. It's increased information... not enough for
"perfect" decisions, but enough for "better" decisions.