spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Perkel <>
Subject Re: email address forgery
Date Sun, 14 Nov 2010 15:41:30 GMT

On 11/11/2010 5:07 PM, Rob McEwen wrote:
> On 11/11/2010 7:41 PM, Noel Butler wrote:
>> Really? I don't use SPF in SA, only MTA, if that's the case,  it is a
>> shame that SA also is behind the times. It was years ago SPF type was
>> ratified. Justin: Any plans to change that?
> I guess I'm one of those mail admins who is behind the times. But I
> don't really care that much because I take the same position as Suresh
> Ramasubramanian... that SPF is a failed technology because, for one, it
> breaks e-mail forwarding and there are ALWAYS too many legit e-mail
> forwarding situations (and legit substitutionary "from" situations--like
> sending from one's phone) to create problems in comparison to the
> problems that SPF solves.
> The ONLY exception is when enduring a severe "Joe Job" attack. In THAT
> situation, a strong SPF record will disrupt much of the spammer's
> messages, and cause them to switch to OTHER forged "from" addresses. In
> that situation, SPF is your friend. Otherwise, it is more trouble than
> its worth, imo.
> Because many feel this way, I suspect that this may be the reason why
> the lastest and greatest SPF support probably wasn' a huge priority for SA?

What disturbs me the most about SPF is that it is the most widely 
adopted technology that just plain does not work. It's almost cult like 
in nature. I'm someone who looks for any trick that works and it took me 
years to figure out any upside to SPF at all and that was very limited. 
I have evolved however from saying it is totally useless to barely 
useful. So I can see why if the SPF standard changed then no one is 
scrambling to adopt it.

The idea itself is interesting. It's one of those ideas that sounds like 
it should work. That is perhaps the attraction. I personally have had a 
lot of ideas that I thought were great ideas but when I actually tried 
to use them there were unforeseen problems. So I abandoned them.

I do think however that there should be some kind of DNS lookup that can 
return information about where legit email for domains comes from. And 
that would have to includes lists of places that are sources of 
forwarded email.

Marc Perkel - Sales/Support
Junk Email Filter dot com

View raw message