[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 09 July 2004 18:50, Simon Waters wrote: about SPF and signing emails I'm on thin ice in disagreeing on technical things with Simon, but I have been reading the SPF discussion list for quite some time now and I'm not sure the view presented is right. I also think that the damage that spam does to email is not directly related to workload, it is more to the reduction in actual use of email by people who find the marginal irritation of even a few spams to be considerable and lack technical resources personally o rin a support department to deal with it.
Why not just sign all your emails - all the end user benefits (they know it is from you can can discard the other emails claiming to be from you) and none of the drawbacks of SPF.
Many of the people I exchange email with are insufficiently clued to handle signing, but that isn't what SPF is for.
The real problem here is insecure machines on the Internet, almost universally running software from one company in Redmond.
Of course.
SPF transfers work from 1 to 3.
Is that very much? I envisage setting up a rule that deletes unseen all email whcih claims to be from a domain which has implemented SPF and whose SPF record does not state that the machine from which the email came is one of that domain's email servers. The designers of eg pobox.com who rather than being just large email systems are large email systems that relay mail for many mobile users - their worst problem - will have to establish either SMTP AUTH, a good idea for mobile users I'd say, and one that I'm going to be using now I can network into my mail servers, or envelope rewriting with SRS, something which I have acquired no understanding of as yet.
It doesn't solve the spam problem, and it only partially address impersonation (unlike signing emails which addresses this one properly).
It doesn't address impersonation at all. The only thing it addresses by design is the spoofing of email from lines. This solves one part of a large and complex (spam) problem, in a way that seems to me to be proportional and somewhat clever. Screening out a large number of emails quickly on the basis that they are not from where they say they are allows more resource to be applied to the more clever and trickily sneaky spam.
Where as 3 is expensive. For the time cost of implementing SPF at a small ISP - enable SMTP auth, educate users about SMTP Auth, update DNS, update email servers, manage passwords.... you can probably upgrade the email server hardware - which means an order of magnitude more email can be handled.
I fear with the current growth of antisocial activity by those very few Americans (surely it is time their neighbours ceased to sell them groceries) and others adding the capacity to route more email will merely ensure that the huge rise in spam continues to be routed. It is at least partly a social phenomenom, I was not active when Usenet sorted out a solution but I assume we can't blame Microsoft for all of that... even though their bhaviour on email and the Internet has been so poor as to suggest they want to destroy any internetwork they do not own, charge for and control.
Since SPF doesn't actually address the spam problem, it doesn't reduce (2) significantly at least not until you switch on the "don't accept email from non-SPF users" or those advertising all addresses (like AOL was at one point - may still do) and that isn't happening anytime soon.
That was not my understanding, and of course if one adds even a single pointto the spamishness score on the basis of SPF records that don't allow an email to be discarded out of hand, it will make a big difference to the probability of a spam getting through. Spam being a social problem will require a complex adjustment of society to deal with, SPF is one bit of technology I've been convinced of the merit of, and the various laws on UCE while poorly effective in their own right share the merit that they provide a criminal offence which has been committed by most senders of spam which cannot easily be blocked on the basis of where it came from. - -- Adrian Midgley (Linux desktop) GP, Exeter http://www.defoam.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFA77wWb80am9d/StcRAkOUAJ9JVUmSD3XFFoFj1w+O9z2e8dmitgCgvhZP HYBxYpXwADRgcHRMeDR26CA= =6/0A -----END PGP SIGNATURE----- -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.