On Sat, Jan 24, 2004 at 11:33:54PM +1300, Simon Byrnand said:
I don't see how this would work.
Lets say I connect to xtra as my ISP, however I have a clear.net.nz email address and use xtra's smtp server to send my email. This sort of system would block it as being spam because it wouldn't be going through the correct poviders smtp server.
Which is one of the major sticking points of SPF. There are legitimate uses of "forging" domains like this...
At the risk of appearing stoopid, such as? If a domain lists all the IP addresses that mail from that domain could originate from, then presumably they're saying that greeting card sites and the like aren't going to be usable from this domain. Sounds like a good idea to me :-).
Well, how about all those people, like me, that have active email addresses with more than one ISP, but usually dialup using only one of them. To send email "from" the domain of one you're not currently dialed up to with SPF universally in place, that ISP would have to support SMTP AUTH, otherwise you simply couldn't send using that email address unless you were connected to that ISP at the time. Another example is webhosting/email hosting companies who host email domains but don't provide connections, some of them dont even provide outgoing SMTP servers at all at the moment, but with SPF in place they would have to, and would out of necessity have to provide SMTP AUTH. At the moment some, but hardly all ISP's support SMTP AUTH, so my only hope is that if SPF did get widely accepted, that those ISP's that start using it also allow SMTP AUTH, which would largely negate the downsides it would otherwise introduce. However when you look at ISP's like Xtra who now don't even allow POP3 access outside their own networks let alone SMTP AUTH, for purely commercial reasons, one has to wonder whether all ISP's would play ball in an SPF environment...
One good side would be that those who did list their domains with an SPF entry would be less likely to be the victim of a "joe job", provided that a large enough proportion of the recipients of such spam were checking SPF...
And that seems like a useful outcome in itself. It would also be a useful defence against the mindless joejobs that you see from the worm/virus de jour these days. Having watched the classic example yesterday where some random Bagle infected machine sent a mail to a list my SO runs, with From line forged so that it appeared to come from her. It had the right From line, so it got right through the "only allow posting from subscribers" check, and she's been getting harangued by noobs on the list ever since. SPF looks like it could stop that sort of nonsense happening.
I agree. The first and most obvious effect of something like SPF would be a reduction (and eventually elimination perhaps) of joe jobs against those domains who decided to participate in SPF. As to whether it would cut back significantly on spam or not, I don't think that it would in the long run, spammers would just adapt, but it certainly may minimize the damage to innocent bystanders... Regards, Simon