[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Adrian Midgley wrote: | On Friday 09 July 2004 17:51, alan wrote: | | |>Unfortunately, as most of the spam is automated, and virus driven | | | and spoofs its "from" line... | | When I get at my DNS records I shall put an SPF record in (spf.pobox.com) and | when I understand Postfix more fully I shall start checking for SPF records.
Why not just sign all your emails - all the end user benefits (they know it is from you can can discard the other emails claiming to be from you) and none of the drawbacks of SPF.
SPF was invented by email administrators of big email systems to solve the problems of email administrators of big email systems, and it is at best a half baked solution for that. This is why Wietse isn't that concerned about SPF support in Postfix (I think it is around now but it was and will remain a low priority). Indeed none of the big three Eric, Wietse or Dan seemed terribly enamoured with SPF last time I checked.
The real problem here is insecure machines on the Internet, almost universally running software from one company in Redmond. If they aren't being used to send spam it will be some equally obnoxious activity - you can already rent a DDoS attack. My guess if SPF is deployed more widely many of these machines will be brute forcing SMTP-Auth passwords :(
Similarly why on earth do I still get emails from financial institutions on the Internet that aren't signed?
SPF transfers work from 1 to 3. It doesn't solve the spam problem, and it only partially address impersonation (unlike signing emails which addresses this one properly).
But spam isn't a huge cost in hardware email resources - typically a lot of it is quickly rejected or deleted. And the marginal cost of email is small. Indeed antispam solutions are often more costly than the spam in terms of equipment resources. For ISPs with both email and web, smtp is usually a small amount of bandwidth compared to http.
Where as 3 is expensive. For the time cost of implementing SPF at a small ISP - enable SMTP auth, educate users about SMTP Auth, update DNS, update email servers, manage passwords.... you can probably upgrade the email server hardware - which means an order of magnitude more email can be handled.
Since SPF doesn't actually address the spam problem, it doesn't reduce (2) significantly at least not until you switch on the "don't accept email from non-SPF users" or those advertising all addresses (like AOL was at one point - may still do) and that isn't happening anytime soon. -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
iD8DBQFA7tr1GFXfHI9FVgYRAsruAJ9BP9+axg2mnt+RF+PpUsim8Xw0RACdF6Kd UfDJ1HXf+54k0swDz3+hpGs= =8Yeb -----END PGP SIGNATURE-----
-- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.