>"James Craig Burley" <[EMAIL PROTECTED]> wrote: >> (But, until that point, how useful can it really be in stopping or >> substantially slowing spam and vermin without generating lots of false >> positives?? After all, it won't have yet been widely deployed, and it >> isn't terribly likely enough sites will choose to publish information >> *without* also doing SPF lookups for most or all incoming email, >> unless SPF is redefined to be an end-user-triggered means of >> determining authenticity of important-looking mail, in which case it >> ceases to be much of an anti-UBM measure and becomes more of an >> anti-fraud measure.) > >SPF has always been about preventing forgeries, not stoping spam. In fact, >point 1 of "What SPF Is And Is Not" says: "SPF is not the Final Ultimate >Solution to the Spam Problem. Nor is it meant to be. Its goal is to stop >forgery, not to stop spam."
Regardless, it's either too expensive to deploy just to stop forgeries, or too useless for spammers to bother attacking via the methods I describe. Think about the real world: do you go to the effort to determine if *each and every communication you receive* is from a forged source? If not, why not? How about you try that from now on? Look up the information contained in this email, and in every other email, to determine whether it's forged. Ask every person who even says "hi" to you to identify himself or herself, then do sufficiently diligent research to determine whether that "source" is forged. What you'll quickly realize, probably just by thinking about the implications, is that such an effort is doomed to fail due simply to lack of resources. (Or, one can shut oneself in a monastery, thus reducing the size of the problem space.) Instead, everyone instinctively realizes that the level of trustworthiness needed to accept messages varies *widely*, based mostly on the content of each message. So, I don't have to worry whether "Buy Viagra Today!" is from a forged source *at all*, since I don't care about the message; whereas, "Your mother is in the hospital" causes me to be much more concerned about the trustworthiness of the source. (But I want my anti-UBM measures to block the former sort of message, not the latter!) Until SMTP servers have built-in Artificial Intelligence (AI), they cannot possibly determine for which messages lookups like SPF or DK are useful or even necessary to a sufficiently useful degree. Therefore, either they perform those lookups all the time, and incur the resulting performance penalties (which spammers can exploit, if they believe these systems are being used to combat spam, which is what they were designed to do, despite disclaimers to the contrary)... ..or they can essentially *never* perform those lookups, leaving it to end users to trigger them once they determine that such a lookup would be useful. -- James Craig Burley Software Craftsperson <http://www.jcb-sc.com>
