SPF RRType

Brad Knowles brad at stop.mail-abuse.org
Thu Aug 11 23:11:41 UTC 2005 

At 3:44 PM -0600 2005-08-11, Commerco WebMaster wrote:

>>          There are problems with the SPF specification, and there are
>>problems with the SPF implementations.  For one thing, many people do
>>not implement SPF correctly, so they break mail for any domain that
>>publishes SPF records.  Another problem is that spammers have started
>>publishing SPF records, and very few legitimate domains have done the
>>same.
>
>  Brad, the above argument could also be made with implementing any
>  protocol.

	This is a particular problem with SPF, because even if you 
publish your records correctly, plenty of sites will screw up your 
e-mail.  The same cannot be said for most other records in the DNS -- 
most other sites are unlikely to screw up your e-mail if you publish 
your MX records correctly.

>>          This means that the probability is very high that anyone using
>>SPF records is a spammer, which I guess explains why no one seems to
>>care that they have screwed up their SPF implementation and instead
>>throw away anything coming from domains that have SPF records.
>
>  Actually, your statements above are quite misleading and a fairly
>  large number of respectable companies who do publish SPF records
>  might take exception to them.

	I was the Senior Internet Mail Administrator for AOL.  I know 
exactly what they've done.

	That doesn't change the fact that 99% of e-mail sent from 
SPF-enabled domains is actually spam, and therefore anyone who 
receives e-mail from an SPF-enabled domain has a 99% probability that 
the message is spam.

>                                                If a spammer is
>  violating any laws regarding spam, prosecuting the spammer is going
>  to be that much easier if they do publish and SPF record, because in
>  publishing their SPF record, the spammer just admitted machines under
>  their direct control were the actual source of the spam.

	And if the spammer is overseas, your stupid US laws aren't going 
to be worth a damn.

	And yes, I'm a US citizen, so I do get to criticize their stupid laws.

>                                                            Further, if
>  a spammer publishes and SPF record, it makes the process of black
>  holing the spammer that much easier.

	Not really.  Many spammers change domains multiple times per 
hour.  Much too fast for any black list to keep up.

	There are some things in the works that would be more likely to 
keep up, but that's a subject for a different mailing list/newsgroup.

>  As everyone who pays much attention to SPF at all knows, SPF was
>  never really conceived to directly address spam.

	That may not have been the original concept, but SPF got 
side-tracked by a lot of people and was pushed very, very hard as the 
"Final Ultimate Solution to the Spam Problem".  Google for "FUSSP".

	As I said in my blog, the original concept (as small as it is), 
is not such a bad thing, so long as you meet certain criteria.  The 
problem is when everyone in the world applies SPF blindly to their 
systems (as Microsoft would have them do, as well as many other 
johnny-come-lately supporters), they seriously screw things up.


	Unfortunately, this is the real world.  We not only have to talk 
about the ideal way to implement SPF, we also have to talk about the 
typical types of methods that people have used to implement the SPF, 
and we also need to highlight the fact that there are a hell of a lot 
of sites out there that do not implement it correctly.

	This is the Everglades.  It's filled with alligators and 
crocodiles.  If you step out of the boat, you are in serious danger 
of getting your arms or legs ripped off.  Yes, some professionals can 
come down here and successfully jump into the water with these 
dangerous creatures and manage to survive and tell tales about it. 
The problem is all these damn idiots who come down here and think 
they can do the same, even though they don't have the necessary 
talents, skills, and experience.

>  Some companies and individuals actually do care about their
>  reputations and those of the domain names under their control and
>  thus they publish SPF records in an affirmative effort to protect
>  those reputations.  Really.

	This is precisely the kind of argument that people use to push 
SPF blindly on everyone else.  Just because you care about your 
online reputation has nothing to do with whether or not you implement 
SPF, and any attempt on your part to make that claim is disingenuous 
-- at best.

>  Until something better comes along to protect a domain name from
>  being hijacked in an email MAIL FROM, SPF seems the default solution
>  du jour for such things.  If you have a workable alternate solution
>  that has a level of support by responsible domain holders that is
>  even close to that enjoyed by SPF, please advise.

	As I said before, DomainKeys doesn't work, either.  PGP works 
fine.  We don't need to reinvent that wheel.

>  No, I'm not a SAGE member (I'm more likely closer to a sage brush
>  member), but I do drive past Holiday Inn Express locations from time
>  to time and have also been engaged in on-line Internet business since 1995.

	Whereas I was the very first Internet Mail Operations person 
hired by AOL, and I got my start there in 1995.  Before the end of 
that year, I was already one of the most experienced anti-spam 
experts on the Internet.  By the time I left, we had grown the 
Internet Mail Operations team to several people, we had grown the 
number of gateways by 15,000%, and each gateway was hundreds of times 
more powerful than the machines we had started off with.

	I've been on the Internet for over twenty years, and a 
Unix/Internet systems administrator for fifteen.  And I've continued 
my involvement with various anti-spam efforts since leaving AOL.

	And when it comes to anti-spam work, despite my experience, I'm 
still considered a "newbie".  I can point you to people who've been 
worrying about this problem a lot longer than I have, and I've been 
working with most of them throughout my professional career.


	Now, if you want to get back to discussing DNS and BIND and let 
us all get away from this chest-thumping and other topics not related 
to this mailing list/newsgroup, I'm all for that.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.

More information about the bind-users mailing list