On Fri, Apr 24, 2009 at 11:01 AM, Dan Harnett <dan...@harnett.name> wrote:
>> On top of that, if VeriSign could be tricked into signing a fake
>> Microsoft ActiveX key, can you really trust the authorities?
>
> Are you implying SPF records are validated somewhere and signed by a
> trusted third party?  They're not.  They're provided by the bad guys.  A
> more proper analogy would be that you received an ActiveX control signed
> by "The Bad Guys Who Do Bad Things".  They were nice enough to sign it,
> so you accept it.
>

I was implying no such thing.  I was referring to using WHOIS to block
spammers on the basis of the date the domain was registered.

> asfjsakf1359.com TXT "v=spf1 a:mail.asfjsakf1359.com ip4:0.0.0.0/0 ~all"

Ok, now that gives us a pointer by which to block fraudulent folk.
That record means anyone and everyone can send an email using that
domain name.  A proper SPF record wouldn't have an all-encompassing IP
range.  In fact, who in the world would have anything more than a /7
block?

However that alone wouldn't deter any spammer - just limit the range
to what's accepted and you're in.  And any limit you set will only
cause more dramas.  Sure you could limit it to /24 and smaller, or
even to single addresses, but what about those select folk who have
been assigned /8 classless subnets?  That's a whole lotta SPF records
for one subdomain.

No solution is perfect, but a small group of imperfect solutions is a
far cry better than no solutions at all and our mailboxes being
inundated with spam.  The problem's here to stay, all we can do is
deal with it as best we can.

--
Aaron Mason AKA Absorbent Shoulder Man
<i>Oh, why does everything I whip leave me?</i>

Reply via email to