On Wed, 2005-05-18 at 16:08 +0200, Andre Oppermann wrote:
Juerg Reimann wrote:
To whom it may concern...
I've run a little test whether Swiss ISPs use SPF or not and it turned out
that very few have actually implemented it (actually, I found not a single
one). Is there a reason for that? It's a very simple implementation and it
could prevent a lot of damage like the most recent one after Sober.Q.
SPF is broken by design.
It indeed does not stop spam, it does (partially) stop faking your
source email domain, which could partially stop virus spreads, but that
would require that a large (>75%) of the global is using it. No check
somewhere -> does not work.
I personally would like to see every SMTP box checking that mails are
signed per PGP, but that implies other problems too I guess...
deployment is the first thing and that other thing called PKI seems to
be a long long way on the road to oblivion too.
suggest ISPs should implement SPF quickly and talk to their
customers about it. (See http://spf.pobox.com/
for further information.)
How about you start with your domain and your users first and then
report back how it went and what problems you encountered? Lead us
Well, there is a SPFv1 record on his domain:
jworld.ch TXT "v=spf1 ip4:188.8.131.52/26 ip4:184.108.40.206 ~all"
But that ends in a ~all, thus basically the last Sober.Q runs (I assume
he means that german propaganda crap of the last couple of days) would
not have been 'stopped' because of the above. The "~all" would simply
mean a softfail, thus the box will accept it, though maybe some
spamcheck engine might choose to add some points to the spamscore
because of it.
The point why I don't have SPF stuff on my domains is simple: IPv6 is
not supported well enough, read: it is defined ambiguously and most
likely the few boxes that have SPF checking installed won't understand
the ip6 directive, thus when sending mail from a domain with the ip6
directive and -all, mail is most likely to end up in nothingness, which
is not what one wants, and ~all is simply not adequate.
If the above concern would be gone, which will take quite some time, I
might add it, as it would save getting my addy used to spam a large
number of the ISP's who do check it. Getting those bounces is just a bit
annoying even if they end up in the spam folder.