nanog mailing list archives
Re: Spammers Skirt IP Authentication Attempts
From: Paul Vixie <paul () vix com>
Date: Wed, 08 Sep 2004 15:59:17 +0000
True, but bounces, and anything else with NULL return path, can be taken care of with SRS.
SRS is probably a higher pairwise deployment barrier than SPF. but in any case you should take this argument to the IETF MARID WG, since getting agreement on nanog@ (assuming it's possible) won't stop the SPF steamroller.
See:
http://www.libsrs2.org/
http://www.libsrs2.org/srs/srs.pdf
http://asarian-host.net/srs/sendmailsrs.htm
And be happy, and realise "SPF is worthless" ;)
SRS looks like a better technical solution than SPF, but it's less deployable. for one thing, There Can Be Only One SRS-like thing. there are already many SPF-like things, each with its own adherent-base, and there will be many more.
Is it really worth it for every domain owner on the planet (including spammers!) to implement SPF records in DNS, and the resulting forwarding breakage, simply to provide some fairly intangible "dilution protection" for, primarily, the very small subset of widely-known domains out there?
no. it's the same kind of cost/benefit assymetry as spam, where everybody has to pay a higher cost but only a few get a significant benefit from it. however, beta was better than vhs, too. and tully's is way Way better than starbucks. being better isn't as relevant as having better marketing. with microsoft backing SPF++ (is it "sender-id" now?), SPF will be widely deployed and the costs and benefits be damned.
... i'm glad that companies bigger and richer than i am find it in their own selfish best interests to push something like SPF -- that means it'll happen. ...Well that depends. At the moment it looks like the clients will implement a standard that most of the servers will not!
i've begun to hear privacy related concerns, as well. even with jim miller's MAIL-FROM proposal, there's a way to look at the DNS query stream and find out what servers are presently being spammed using your domain name as the source. this is an information leak but i'm willing to live with it. many MTA operators will not be willing to live with this. (maybe some large ones.)
it's useful, just not for the advertised reasons, or a universal reason.Ah, absolutely yes.
so, i'll take your "SPF is worthless!" statement under advisement.
Current thread:
- Re: Spammers Skirt IP Authentication Attempts, (continued)
- Re: Spammers Skirt IP Authentication Attempts Dan Mahoney, System Admin (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Ricardo "Rick" Gonzalez (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Dan Mahoney, System Admin (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Susan Harris (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Paul Vixie (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Douglas Otis (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Peter Corlett (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Stephane Bortzmeyer (Sep 10)
- Re: Spammers Skirt IP Authentication Attempts Paul Vixie (Sep 10)
- Message not available
- Re: Spammers Skirt IP Authentication Attempts Paul Jakma (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Paul Vixie (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Dan Mahoney, System Admin (Sep 06)
- Re: Spammers Skirt IP Authentication Attempts Niels Bakker (Sep 06)
- Re: Spammers Skirt IP Authentication Attempts Peter Corlett (Sep 06)
- Re: Spammers Skirt IP Authentication Attempts Richard Welty (Sep 06)
- Re: Spammers Skirt IP Authentication Attempts Mark Jeftovic (Sep 06)
- Re: Spammers Skirt IP Authentication Attempts Rich Kulawiec (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Michael . Dillon (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Richard Cox (Sep 08)