spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matus UHLAR - fantomas <uh...@fantomas.sk>
Subject Re: Off Topic - SPF - What a Disaster
Date Wed, 24 Feb 2010 10:17:50 GMT
On 23.02.10 15:38, Jeff Koch wrote:
> In an effort to reduce spam further we tried implementing SPF 
> enforcement.

You should implement SPF in order to prevent mail forgery, not spam.
SPF is a tool to reduce forgery, not spam.
The fact that most of spam has forged address only helps you.

> Within three days we turned it off. What we found was that:

You have turned it on where? In your MTA at SMTP level?
In your domain(s)? In both? And in your domain(s), hard or soft fail?

> - domain owners are allowing SPF records to be added to their zone files  
> without understanding the implications or that are just not correct

domain owners can do anything with their domains, wheter it's correct or
not.

> - domain owners and their employees regularly send email from mailservers 
> that violate their SPF.

This is a main problem we all should try to avoid. Many domains' owners e.g.
ESPs are already trying to avoid this by putting SPF and DKIM records to
their domains.

So you have turned it off? They won't be glad.

> - our customers were unable to receive email from important business contacts
> - our customers were unable to understand why we would be enforcing a  
> system that prevented
>   them from getting important email.

Well, because senders' admins wish to do so.

> - our customers couldn't understand what SPF does.
> - our customers could not explain SPF to their business contacts who 
> would have had to contact their IT people to correct the SPF records.

their business contacts are apparently doing something against themselves.

> Our assessment is that SPF is a good idea but pretty much unworkable for 
> an ISP/host without a major education program which we neither have the 
> time or money to do. Since we like our customers and they pay the bills 
> it is now a dead issue.

Well, many people are admitting "SPF is broken", just because others are
doing stuff (use incorrect SMTP servers, resending the mail using others'
sender addresses) which are in fact broken, not SPF.

What I understand, there should be some kind of local SPF whitelists,
allowing known broken forwarders, decreasing FAIL from hard to soft for some
domains...

I don't think that not implementing techniques because some people tend to
break things is a way to go. Forcing them to fix broken things is.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #99999: Out of error messages.

Mime
View raw message