OT: What is "SPF" ?

[Jeremy Blosser]

On Aug 25, David Relson [relson at osagesoftware.com] wrote:
> Using SPF may be useful as a spam filter, but only if _all_ senders have
> it implemented.  If all valid senders implement SPF, then forged
> messages from zombie machines will be "invalid" (and can be rejected).
> 
> The above is my understanding at present.  Corrections are welcomed :-)

Spam filter, no.  SPF provides no particularly useful information that
administrators and filters don't already have about the true point of
origin of a spam or other mail.

These things were designed primarily to help protect end users from
phishing scams and as a reputation management thing vs. joe jobs.  End
users who can't read mail headers are falling for phishing scams and
yelling at people/companies who aren't actually sending spam, and this is
what SPF was originally created to address.

Unfortunately a lot of people that should know better are now trying to ram
this through as some grand way to deal with spam.  It's unfortunate because
it breaks legitimate uses of SMTP and because _we_ already know how to
easily route around it, which mean it'll slow spammers down for all of 2
days if it gets wide adoption.  Specifically, SPF will *not* help with the
zombie problem, it'll just encourage spammers to use zombies more and get
more malicious about it.  All they have to do is make sure they have the
zombies forge to use the local machine's credentials and mail routes (they
already know how to do this).  Alternately they can just add throwaway
domains with valid SPF records to their list of overhead costs...
assumptions that this will somehow be too costly for them betray an
enormous lack of understanding of how these people operate and just how
much money they have to sink into operations.

Theoretically it could still be effective against phishing scams, since
perpetuating e.g. a paypal scam would mean you'd have to get a zombie
inside paypal (which is hopefully difficult).  However, that problem is not
yet large enough to justify the damage SPF and related proposals will do to
SMTP and Internet mail in general.

Big corps love it, of course, since they like reputation management and not
hearing user complaints and forcing things to be centralized through them.

SPF puts a lot of otherwise secure and stable individual mail servers at
the mercy of their providers.  They also like looking like they're doing
something, and there's enough smoke and mirrors around the SPF proposals
that it fits the bill nicely for them.  MS and AOL all over it for these
reasons.  The good news is that it appears the SPF folks getting in bed
with MS may come back to bite them, since MS is making a play to license
things in such a way that FLOSS implementations have a lot of trouble.