Comments on: Cat Fight! SPF Claws Sender-ID http://www.emailbattles.com/2005/09/01/spam_aabeeighag_ef/ Spam, Security, Privacy, Spyware, Phishing & Viruses from the Front Lines. Wed, 07 Jan 2009 10:34:24 +0000 http://wordpress.org/?v=2.0.4 by: Julian Mehnle http://www.emailbattles.com/2005/09/01/spam_aabeeighag_ef/#comment-47 Sat, 03 Sep 2005 14:01:07 +0000 http://www.emailbattles.com/2005/09/01/spam_aabeeighag_ef/#comment-47 Bob Lobodomee, don't confuse an SPF "Pass" result with an assertion on the value of an e-mail message. An SPF "Pass" simply states that the sender address is not forged. If you skip any further spam filtering due to _that_, it is your own fault.<br> <br> Actually, such "Pass" results can be used for blacklisting spammers' domains instead of their IP addresses. Or it can be used for whitelisting the good guys. Bob Lobodomee, don’t confuse an SPF “Pass” result with an assertion on the value of an e-mail message. An SPF “Pass” simply states that the sender address is not forged. If you skip any further spam filtering due to _that_, it is your own fault.

Actually, such “Pass” results can be used for blacklisting spammers’ domains instead of their IP addresses. Or it can be used for whitelisting the good guys.

]]> by: Bod Lobodomee http://www.emailbattles.com/2005/09/01/spam_aabeeighag_ef/#comment-46 Fri, 02 Sep 2005 21:42:42 +0000 http://www.emailbattles.com/2005/09/01/spam_aabeeighag_ef/#comment-46 John Levine at <a href="http://www.circleid.com/article/1178_0_1_0_C/">circleid </a> says he thinks "during the magic anti-spam silver bullet stage, lots of people published SPF records, and then forgot about them when they found that their spam didn't stop. When Sender-ID came along as a hybrid of SPF and Microsoft's Caller-ID, after lengthy discussion on the MARID list, they decided that since many Sender-ID records would have the same contents as the corresponding SPF records, Sender-ID would use the existing large set of SPF records. As a way to kick-start a package that you want to rush into use, it's not a bad idea. But as part of an experiment, which is what the IETF considers SPF and Sender-ID to be, it's a clear mistake."<br> <br> He's pretty ambivalent, but techdirt covers your article with this title: <a href="http://www.techdirt.com/articles/20050902/0920242_F.shtml">On Second Thought, Why Not Just Ditch Sender Authentication Altogether</a>. <br> <br> <a href="http://news.bbc.co.uk/1/hi/technology/3631350.stm">Ciphertrust </a>said its survey shows spammers are the biggest users of SPF and, as a result, 34 percent more spam is passing SPF security checks than before. <br> <br> Am I sensing a pattern here? John Levine at circleid says he thinks “during the magic anti-spam silver bullet stage, lots of people published SPF records, and then forgot about them when they found that their spam didn’t stop. When Sender-ID came along as a hybrid of SPF and Microsoft’s Caller-ID, after lengthy discussion on the MARID list, they decided that since many Sender-ID records would have the same contents as the corresponding SPF records, Sender-ID would use the existing large set of SPF records. As a way to kick-start a package that you want to rush into use, it’s not a bad idea. But as part of an experiment, which is what the IETF considers SPF and Sender-ID to be, it’s a clear mistake.”

He’s pretty ambivalent, but techdirt covers your article with this title: On Second Thought, Why Not Just Ditch Sender Authentication Altogether.

Ciphertrust said its survey shows spammers are the biggest users of SPF and, as a result, 34 percent more spam is passing SPF security checks than before.

Am I sensing a pattern here?

]]>