John Hardin wrote:
On Wed, 11 Feb 2009, Ned Slider wrote:
The backscatter he is receiving is most likely DSN messages sent from
mail servers in response to his (forged) sender address. SPF will only
help if other people's mail servers deploy and bounce mail on failed
SPF, but as I asserted in an earlier post to this thread, how much
faith do you place in a mail admin deploying SPF _AND_ bouncing
messages on SPF failure when they can't even address the issue that
their servers are responsible for the backscatter problem by accepting
mail for non-existent addresses and then sending DSNs to a forged
address.
As I said, SPF and DKIM will only _reduce_ the problem as it depends on
The Other Guy to first look at and then do the Right Thing with the
authentication data you are providing.
Why should the OP not do something fairly simple (i.e. publish an SPF
record) that will at least reduce the problem somewhat?
Agreed, although I'd say has the potential to reduce the problem. You
can't possibly quantify that it will actually help in any way.
Let me put it another way, hands up everyone who rejects mail outright
that fails SPF?
I did until I found that the SPF milter was overloading my (fairly
lightly-provisioned) hosted VPS mail server. I've since increased the
resources, I may reinstate an SPF reject policy at SMTP time.
So you reject mail from Microsoft then? I've seen mails from Microsoft
in the last month that fail SPF when signing up for their Windows Live
programme. If a company as large as Microsoft can't get it right how do
you expect everyone else to?
You won't solve the backscatter problem with SPF.
Nobody has claimed that. It helps, but it's not a silver bullet.
I don't see how you can possibly quantify that. You have no idea how
much spam was sent forging your domain so how can you possibly know what
effect, if any, SPF is having. If you receive 3000 backscatters
tomorrow, is that good, bad or indifferent? How much was blocked by SPF?
Would you have received 6000 if you didn't have SPF in place on your
domain? You can't possibly answer these questions. It certainly won't
hurt, but I can't really see it's going to help much either for the
reasons I stated earlier. People who are going to do "The Right Thing"
are most likely already doing "The Right Thing" and are not sending
backscatter to start with. It's those that are sending the backscatter
you need to concern yourself with and they've probably never even heard
of SPF much less have it deployed to reject mail outright on their
servers. IMHO there are better ways to address backscatter than SPF.
