Slashdot Mirror
SPF Design Frozen
Eric S. Smith writes "SPF, previously mentioned here, is a step closer to becoming a real, live RFC. We are encouraged to publish SPF records and thus to hasten the beginning of the end for annoying spam forgeries. SPF describes DNS TXT records that define the hosts authorized to send mail on behalf of users in your domain. Sites can then consult your SPF records and reject spam forged to look like it comes from you." (SPF stands for "Sender Permitted From.")
I've always wondered how a spam filter system based on authorization might work. Your mail server could automatically send out a verification request to the email address that sent the email, then if the email address exists, an authorization would be sent back to your mail server. All mails that weren't confirmed by a returned authorization could be automatically deleted. This way, you could only get mail from active email addresses. Could cut down on email spoofing because anyone spamming you would have to use a real email address which would allow you to complain to the domain owner. Of course, all mail servers in the world would have to be upgraded to this new protocall for it to work, or everything would be considered spam.
Does any of this make sense?
You're right, I wouldn't steal a car. But if it were possible, I sure as hell would download one!
My main spam related problem is that I can't send mail from my residential IP to aol.com, rr.com, and some others. Will this provide such a great spam filter that those ISPs will stop blocking me ? I suspect not, because I suspect those people just want to force me to get a higher priced fixed IP. (I suspect RR doesn't care if I spam for a little side income, as long as I pay more and don't do it enough to cost them more than I am paying.)
Besides my residential IP with its dyndns name, I maintain two other mail servers for small businesses (less than 4 employees each). Is there any reason I should employ this solution ? Do I get anything I don't get by running spamassassin at home and for my clients ?
Come on, sell me on this. However, you have an uphill battle, because my main problem isn't spam, it's the people who treat me like a spammer. (Some analogies to terrorism and John Ashcroft may come to mind.) It costs me and my clients the same whether the network is slow from a spam flood (usually virus related) or not. The human attention factor is not large, with filters applied and updated.
Imagine how this might increase AOL's or hotmail's network traffic, while they gain nothing from it.
Well, they do gain, actually -- if the plan works, it will blot out quite a lot of spam. AOL and Hotmail spend an astronomical amount of money dealing with spam in the current situation (it doesn't help that lots of spammers forge AOL or hotmail return addresses... I'm sure those bounces crank out the bandwidth required). If they need to pay for more bandwidth and more servers to support SPF, I have to imagine that will be much cheaper than the manpower they have to support to fight the problem now.
Besides, how much extra bandwidth is really involved? Wouldn't it work like other DNS records, and be cached all over the place?
I don't know enough about the technology to properly address your second point... but I think because we're dealing with DNS servers here (instead of needing to contact the mail servers) this may actually work out. Sure, some people run mail servers from home, etc., but DNS is usually provided free by an ISP; there are also free DNS hosts.
Either way, I'm rooting for it. Spam is killing email.
There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
If they couldn't get consensus inside the IRTF's spam working group, what makes them think they can get it in the IETF community at large (I love the note to the RFC editor - HA)
I have mod points and I am not afraid to use them