Spammers Are Early Adopters of SPF Standard

nazarijo writes "In an article entitled Spammers using sender authentication too, study says, Infoworld reports that a study by CipherTrust shows that SPF and Sender ID (SID) aren't nearly as effective as we expected them to be when combatting spam. The reason? Spammers are able to publish their own records, too. 'Spammers are now better than companies at reporting the source of their e-mail,' says Paul Judge, noted spam researcher and CipherTrust CTO. Combined with low adoption rates of either SID or SPF (31 of the Fortune 1000 according to CipherTrust), this means that the common dream of SPF or SID clearing up the spam problem wont be coming true. Wong, one of the original authors of SPF and a co-author of SID, says that it was never intended to combat all spam. Weng, another researcher in the space, says that this is just one of the many pieces of the puzzle needed to combat spam. Various SID implementations exist, including a new one from Sendmail.net based on their milter API, making it easy for you to adopt SID and try this for yourself."

A Change Needs to be made

OK, We need to change SMTP completely. It was created back when the internet was somewhat new, and spam e-mail was unheard of. The protocol itself needs a change.

I won't pay $300/year to send mail

'nuff said.

Re:A Change Needs to be made

If you are talking about using TLS to ensure authenticity of a source, then SPF does that (somewhat). If a message claims to be from domain X, and domain X uses SPF and already only allows messages from their servers, then that message is from domain X. TLS, as far as authenticity goes would add nothing. The only difference is that spammers would now also have to buy a TLS cert.

About the only attacks that TLS would pervent would be IP spoofing. These days, that is very, very hard.

What would TLS add?

Re:A Change Needs to be made

How would you change it?

Why can't these changes be integrated into SMTP-as-we-know-it?

It's all very nice to say "it needs to change", but until you explain why changing it is the best solution - or even vaguely useful - it's not going to happen.

We can still use it as a spam prevention tool

All we need to do is block emails from anyone using SPF or SID.

The point of SPF

... is not to block spam, but to identify the source of an e-mail. Spammers can definitely identify themselves if they so choose. I think it is still a welcoming trend.

Re:The point of SPF

The point of SPF is ... to identify the source of an e-mail

This point needs to be emphasized. The whole point of SPF is to prevent spammers from falsifying return addresses. If they want to publish their own legitimate SPF records, then by all means let them. Then we can just block them by their domain names without any fear of blocking legitimate email.

even spammers

need sun protection

Article Poster Doesn't Understand SPF

Idiot. The point of Sender ID systems is to make it easy to track down spammers and enforce spam laws. Sender ID isn't meant to stop spam like spam filters or sender payment schemes but make laws enforcable.

Isn't this what we want?

Isn't putting up SPF records exactly what we want spammers to do? If they've got SPF records, running an RBL against spam domains should be easier and more accurate.

Re:Isn't this what we want?

Well, a quick off-the-cuff idea is thus: Expand SPF or its moral equivalent to offer a web-of-trust style interface. That is: Each piece of email comes with a pointer that says, in effect, This piece of email is from mydomain.com ... people who think that mydomain.com is cool are yourisp.com otherisp.com white-hat-geeks.net

So, I suppose what I'm proposing is a distributed whitelist.

Re:Isn't this what we want?

Assumed it takes an hour to add a domain to an automated blacklist. I think it could be done in five minutes or so, but let's be generous:

24 domains/day * 365 days/year * $12/domain = $105,120

That's a hundred thousand dollars they didn't used to need to spend each year. Automated blacklisting in five minutes boosts the costs to well over a million dollars a year.

Re:Isn't this what we want?

But now, spammers have to invest money in what they're doing. It doesn't matter if it's much or not, but it is something. It's more than what they were paying before, so unless they don't mind cutting into their profit margins, they're going to be affected by this.

Compare what it used to be with how it is now. It used to be that spammers could use any domain they want. Now they can only use domains they own (assuming they're using SPF), and as soon as one domain is RBL'd, they're going to need another domain. More work for the spammers. And more cost too.

What I'm trying to say is that, yes, domains are cheap. But now they're paying for domains that they didn't have to before.

Weng and Wong are the same person.

The principal author of SPF is Meng Weng Wong. Just one person. Doofus.

Wow

Spammers are like viruses, they adapt amazingly fast. You thought that this new technology would hinder their 'business', but they turn it to their advantage! Oh look, a valid sender ID... i'll just open this mail, it can't be spam, right? Right?

Oh well, at least filters are getting VERY good at catching 99% of it.

Understanding SPF

Understanding SPF as I do, I can't see how any one expected this "end the spam problem".

It'll cut down on problems where forged senders are the main symptom, dramatically. That both includes viruses ( virii ) and some spammers.

But, as is stated, it's completely possible for spammers to keep their dns records updated too.

Now, if only we could get the whois accurate. ;)

Re:Understanding SPF

You know, spammers don't just forge the sender for fun. It's an integral part of their methods of staying a step ahead of being shut down. If you can prevent them from doing it, then you make it that much more difficult to spam. (Of course, we haven't reached that point yet.)

Re:Understanding SPF

It'll cut down on problems where forged senders are the main symptom, dramatically. That both includes viruses ( virii ) and some spammers

And there in lies the wonderful synergy of SPF and blacklists. Without From address forging it becomes much to perform the follow sequence:
1. I received a Spam message from domainx.com, either:
(a) sender was a verified user of domainx.com, spf records check out
(b) no spf, sender likely forged
In case (a) inform the ISP of domainx.com, if further verified Spam messages are received from domainx.com, blacklist it.
In case (b) if SPF is in widespread use for ligitimate mail then the soam message is easier to mark as such (less need to resort to expensive statistics on the body). If SPF is not widespread there is less benefit.

Regards

Alex

Did anyone expect this would reduce spam?

This is certainly what was expected by everyone I've discussed this with!

No one claimed it would end spam

What it does end is domain spoofing (joe jobs), and it adds a level of accountability. If spammers are using their real domains, great. We go to their registrars, most of which have anti-spammer policies, and we get it yanked. If it costs the spammers money, it's a good thing.

But that's not the point of SPF

The point of SPF was not to eliminate spam, but to eliminate spoofing. If successful, this is enables effective and cheap spam filtering by forcing spammers to use domains that can easily be blacklisted.

In other words, SPF is working correctly, brighter tomorrow expected, move along, nothing to see here.

SenderID != Spam Solution

SenderID is not designed to combat spam (although many uninformed individuals think it is), it was designed to fix a fundamental problem with the E-Mail system.

You can not guarantee that an E-Mail originated from the source it said it did.

Which effectively makes black-lists useless.

With SenderIDs you are able to build effective Black-Lists/White-Lists because you can guarantee that an E-Mail came from the location it said it did. And thus decrease the amount of spam.

I'm not sure who wrote this 'study' but the fact that I know more than them says a lot.

SURBL SPF

I have found SURBL - Spam URI Realtime Blocklists to be pretty effective the last while. While everything else is forged and loaded with junk text the actual links back to spammer web pages have to be at least partially valid.

All the more reason...

... to declare open season on spammers.

"What good is Viagra if you .. have no balls... .. fucker"

You need the support of your DNS provider

I actually tried to set up SPF for my site this morning after reading another /. article. Turns out my DNS provider does not support TXT records and gave no indication of a willingness to do so. If it turns out that SPF and some other combination of technologies will prevent me from getting spam as well as prevent my email adress from being spoofed as the From: address on spam sent to others, i guess register.com is about to lose a customer.

Appearantly, some people missed the point...

If spammers are now forced to identify themselves in their emails, by means of having a domain and publishing SPF records for that domain, then good.

That was the entire point.

In combination with anti-spam laws, now we have the ability to actually identify the spammers flooding our inboxes and take legal action against them for doing so.

There is no technological means that will allow random people to email you and yet prevent them from emailing you spam. Technology is simply not capable of distinguishing spam from non-spam with a 100% success rate. We can get really close, but there will always be false-positives and false-negatives in any system. And any system is vulnerable to clever hacking around the filter. You can make it terribly difficult to do so, but you can't make it impossible.

The goal of SPF never was to stop spam, it was to force somebody who sends you email to be accountable for doing so, by providing a method to track down who they are. At least, it's a good start for this sort of thing.

In other news

Wong, one of the original authors of SPF and a co-author of SID, says that it was never intended to combat all spam. Weng, another researcher in the space, says that this is just one of the many pieces of the puzzle needed to combat spam.

Wung, on the other hand, claims that a variation of SPF will eventually win the day, while Wing, yet another researcher, believes that any acronym that can be confused with sunscreen will inevitably fail. And someone named "Wang" would like you to know that you can increase your penis size by 20% in just 2 hours!

Good thing too...

... that there's finally a broad consensus about standards adherence.

SPF is an anti-forgery tool, not an anti-spam tool

SPF doesn't and can't block spam.

it has a different purpose. it prevents some email address forgeries. its main use is to allow a domain owner (e.g. an individual or an organisation or a corporation such as a bank) to specify exactly which hosts are allowed to send mail claiming to be from that domain.

in other words, it can be used to block forgeries such as phishing spams and viruses, but it is not a general purpose spam blocker.

it does that job reasonably well (or, it will when it is implemented by enough mail servers). to complain that it doesn't do a job it was never designed to do is just absurd.

It's not meant to stop spam

this means that the common dream of SPF or SID clearing up the spam problem wont be coming true.

Argh! It's not meant to stop spam. It's meant to stop joe-jobs.

These are only the easy solutions

The only real way to combat spam is to also stop sites and spammers from selling email addresses to each other. If the spammers don't have their most precious commodity, they can't spam.

Important notice: please update your USBank info!

There are four separate "spam" problems:

• Unsolicited but legal mail from a legitimate mail server
• Unsolicited mail (legal or not) from hijacked systems, open mail relays, etc.
• Viruses
• Fradulent mail

SPF can be circumvented in the ways we're already seeing for the first category, but it should knock out the second two (and probably related) problems.

As for the final one... law enforcement may still not take phishing seriously. But I bet Citibank, US Bank, et al do. They're probably losing millions of dollars cleaning up the mess left by phishers, and that money would go a long way towards making phisher's lives miserable and cautionary tales for others. These organizations are large enough that phishers can't even hide behind international borders - piss of Citibank by protecting phishers and that bank may decide that it's not worth doing any business in your country.

Well, duh

How could anyone possibly have thought SPF would reduce spam in any way?

No system that is under the technical control (like SPF) will reduce spam, since the spammers will simply comply. In the case of SPF, all the need do is add in a new section to the script they use to automate signing up for dozens of new domain names at a time, to add the SPF records. (These scripts already add in the other DNS records, so this is trivial.)

And no system that is under the control of someone other than the domain holder will ever be used. (Like the .mail scheme from Spamhaus, where the registrar controls your DNS records.) Only insane people will tolerate that.

The solution to spam involves dark alleys and cattle prods, not wacky technical solutions that won't do anything.

Thoughts from the peanut gallery

First, the two quoted experts are Weng and Wong. If somebody posts that they both work at Wang, I am going to scream.

Second, I'd have thought that it would be obvious that trivial authentication would be useless. It's like using the existance of an X.509 certificate as proof that a site is genuine, notwithstanding that anybody can download a roll-your-own certification program and generate their own.

Third, it's ironic that corporations (who lose millions, if not billions, to fraud each year) aren't the least bit interested in authentication of any kind, whereas spammers (who probably make a very livable income from fraud) are adopting it in droves.

This last one is the most bothersome. Many (but by no means all) corporate websites use SSL for credit card info, but that's about it. And even then, usually only the server has a certificate. Client-side authentication is extremely rare.

Even for business-to-business networking, where you would have thought it very important that both ends of the connection are who they say they are, it's extremely rare to find even the most basic of security measures. IPSec? Kerberos? Nah. I've worked for companies - and even Government agencies - that were quite confident that their .rhosts file would only allow legit users access to their computers.

It's a sad day, when the only e-mail you can be sure is genuine is the e-mail that's pure crap.

Just goes to show...

Wong, one of the original authors of SPF and a co-author of SID, says that it was never intended to combat all spam.

... that wong was wrong all along. So long.

impossible

The only reasonable spam solution is email acceptance rate limits by the major email routers.

A zombie PC will rapidly move from a low emmission of emails to a much more rapid rate. If the upstream email routers rate limit email transmission based on historical information you strangle the spam at source.

Spam isn't eliminated, but it's seriously limited hopefully to the point where it is
unprofitable.

All other methods do not address the major characteristic of spam, the large number of emails and the very low response rate.

SPF working perfectly

But that's the point isn't it! Its to stop spammers hiding behind faked addresses. If they publish proper SPF records then the spammer black list catches them.

If they fake their address to a domain publishing SPF records then the SPF check fails and the message gets flagged for aggressive filtering them.

Either way they're screwed.

The day after

Just imagine we manage to kick the spam out of the internet with this temporary fixes, what happen next? I bet we'll get sloppier or disable the filters as they are so effort and time consuming. And them the spam will kick in again.
Folks. We need a definitive solution, not temporary patches.

Let me explain this

Two of my domains are used in the from address of spams, to the point that I often get thousands of bounces per day. This is the "reward" for years of turning spammers in and getting them tossed from their ISP's.

These sender id schemes won't stop spam at all. It's easy for a spammer to modify his dns to show the correct records and allow him to send.

But, here's the thing: HE DOES IT TO HIS OWN DOMAIN. We can then blacklist his domains and force him to keep coming up with new ones. Whack-a-mole, yes, but at least the "moles" aren't at legitimate domains.

You can complain all you want about how this isn't going to stop spam. Maybe it won't for you, but it will cut down the worthless junk hitting my mail server.

SPF + Reputation = No Spam

SPF was not, by itself, intended to stop spam. It was intended to stop spoofing and phishing (ie. somebody claiming to be from Citi Bank asking you to update your info).

However, once SPF is adopted it allows several things:

1. Whitelisting of well known domains that use spf (eg. ge.com, ibm.com, etc)
2. Blacklisting of well known spammers who use spf (ie. workable rbls)
3. More aggressive spam content filtering of everybody who isn't using SPF -- after all you've whitelisted a LOT of the important people already.

I fully expect the anti-spam vendors to eventually come up with reliable whitelists based upon SPF eventually.

First comes the sender verfication

Then comes the blacklist of senders, so spammers can't send emails as joe@microsoft.com and instead have to send emails as joe@viagra4less.com and then you can just block viagra4less.com :)

all about the porn

Porn is always at the cutting edge of every media. Quite a bit of the spam is for porn so it is no suprise to see spammers adopt a standard before most everyone else.

Misunderstood Reasoning

The power of SPF is not in it's ability to authenticate senders, but in a domain owner's ability to specify who is allowed to send mail from their domain.

If you accept without question mail from SPF verified senders, you're just asking for trouble. There's not and has never been anything in the SPF standard the recommends this practice.

However, If you reject mail based of the SPF records of the sending domain, you can make a difference. If ticketmaster.com does not want mail sent from anything but their mail servers, then by rejecting all ticketmaster mail from other servers, you are reducing spam with forged headers.

It is not possible for a spammer using a domain owned by somebody else to "fake" the SPF records, since they are contained in the zone file for the domain itself.

SPF ignorance is rampant

The number of idiotic posts here is just another example of the declining clue of slashdot users. SPF is an attempt to prevent email forgery. Lots of spam is forged, in an attempt to get by filters. More serious trouble is caused by various 'fishing' schemes, trying to get your bank account/credit card numbers by appearing to be from paypal ,etc. SPF will address the forgery of host &domain names. It does not address the problem of forged user IDs (though this is less of a problem than you may think, if the domain is legit). It does not address the idea of unwanted mail.

Anyone with clue can see this is another tool in the toolbox. Each piece of incoming mail is ranked with a score indicating its probability of being spam. SPF, whitelists, bayesian filters, being in html, coming from china, etc affect the score. There's no magic bullet to stop spam.

Anyone who has spent time as a systems admin of a mail server, should know this.

You won't stop it!

Spam is here to stay. You cannot stop it. I've been an avid user of email and the Internet for years now and ya' know how much spam I get in my mailbox? 4 or 5 messages per day. And these only blink in my inbox as Thunderbird (or Outlook with SpamBayes) quickly relegate my spam to my junk folder. Every email that ends up in my inbox is legitimate email that I want to receive. And even if it's not, one click and it's gone and my filter just got smarter.

Yes, this doesn't cut down on the congestion on the internet, but as a free and public network, you cannot hope to contain it.

Also, be sure to practice smart internet usage. Have throw-away email accounts, only supply your email when it is absolutely necessary to do so.. Don't be willy-nilly about it all and you'll be just fine!

SPF

Spammer Promoted First :)

SPF is step one (we knew this already)

SPF is only the first step. It's purpose is to authenticate that the sender is who they claim to be. Nothing more.

This primarily helps in two ways: first, it helps fight off certain kinds of social attacks. E-Mail can't claim to be from your bank; if it does, the MUA would display a big warning box stating the mail appears to be forged.

Second, it guarantees that people can't spam or send viruses using your domain name. The spammers have to (just as the article says) identify who they are; they can't claim to be someone else.

So no, obviously, that doesn't stop spam. It might block certain kinds of (soon to be obsolete) spam. You no longer have to blacklist all of aol.com, for example, since only real AOL users could send mail from @aol.com if we all used SPF.

This does, however, make it possible to do *MUCH* more accurate RTBL (Real Time Block Lists). The spammers have to identify themselves; once you have their identity, block all their mail. You got spam from @spammer.com? Block spammer.com. The guy at spammer.com can't pretend to be anyone else, so you've got him successfully blocked. Sure, he can register multiple domains, but with a good RTBL that isn't too much of a problem. Good RTBL already block most of the registered spammers - SPF makes their job easier since all spammers will be identifiable.

Mix SPF with a RTBL service and you *will* see a massive drop in spam. Over 80% of all incoming connections to my mail server are now blocked; most of the stuff that does get through is legit (lots of large mailing lists and traffic).

private postage

We need a micropayment scheme for email. Friends in your contacts list (whitelist) send for free, unknowns get autocharged a minimum (like $0.01), blacklisted spammers get charged more (like $5.00). Putting the payment into the authentication transaction between servers will let us continue to use the same client software, with upgrades only to servers run by admins.

That system will discourage spammers, who get us to pay for their abuse, but would have to pay more than their low-yield spams are worth, across thousands of targets. And it will also establish an infrastructure for simple ecommerce. We can turn the debacle of spam into a triumph of distributed postage.

SID is supposed to be the caller ID of email?

If SID is supposed to be the Caller ID of email, then isn't spammers adopting it a GOOD thing? Doesn't that mean that somebody can create a list of the SIDs of spammers, providing a super-effective spam filter for a mail server that only accepts SID identified mail?

Not so surprising

Thats no so surprising really. At best, SPF and other technical solutions can buy us some time while the spammers catch up, but they aren't the silver-bullet that their designers make them out to be. Even the RBLs and bayesian filters only go so far to cure the problem. Such systems only buy us time - in this case maybe 6months or up to a year, as the spammers catch up to the technology and find ways to avoid it. Bear in mind that these people are very well-funded and therefore highly motivated.

With the abundance of "always-on" network connections, and the insecurity of those systems always connected its still easy to generate and send huge quantities of spam.

Not surprised

Who could have imagined, spammers actually adapting their methods to what recent developments in technology allows them to do? Wasn't the idea that every legit user should upgrade their e-mail software to something new, leaving spammers to pound sand..?

I'm not at all impressed by statements that SPF or whatever is just one of many changes needed before we will get rid of junk e-mail. Give us the whole plan at once and let us scrutinize it in detail before deciding whether to employ it; don't hint at a potentially infinite number of steps, disclosed one by one, that need to be taken (each step at substantial cost to the Internet community) before we will eventually reach non-spam nirvana.

Sender Permitted From: It breaks forwarding, we can work around that by rewriting sender addresses at each MTA, but regular users can still send e-mail, and so can the spammers.

Accept only digitally signed messages: We make it really easy to send signed mail, so that not even your grandmother will be left out. Don't worry about the spammers getting a free ride off your labour by using the same tools; they have learned to sign their ads before you start filtering out unsigned messages.

Replace SMTP: Sure, but with what; CMTP (Complex Mail Transfer Protocol)? Will it allow the transmission of mail? Then it will allow the transmission of junk mail, too.

Have the sender pay CPU time for each message: Granted, this probably will cut down on the amount of mail you get, in particular from the vast majority of poor senders out there. Those who have a business incentive to invest in computing power, or won't hesitate to steal CPU time from others, won't suffer as much, but they constitute a minority, just like the spammers do. Remember, it's just one small step towards... something.

Require that no mail must contain the word "viagra" (or any other word in an arbitrarily defined dictionary): Care to put that in an RFC, so that we can have also the MUA refuse to send a message with banned content? I guess spammers will be happy to use precisely those banned words, in order not to have their mail delivered to anybody.

In short, you can add as many components to your junk mail prevention system as you like, but it's not going to get you one bit closer to your goal, unless you focus on what really distinguishes unwanted mail from wanted mail, and invent a mechanism for automatically telling the two apart. Any other step will be a pointless distraction, as it merely begs to be circumvented.

This is well-known

The reason? Spammers are able to publish their own records, too.

From the moment SPF was implemented, people knew that this could happen. SPF doesn't aim to stop spam outright, it aims to HELP stop spam.

First off, if SPF is used, it cuts out 'joe jobs.' I can't send you mail purporting to be from Yahoo through a mass mailer on my desktop, because SPF will catch it.

I see two issues with spam:
a.) Annoying commerical advertisements
b.) The above, sent fraudulently

SPF helps to cut out the second. If spammers send me spam, but do it from their own domain, it's still not hard to block them.

No one (that knew what they were talking about) ever claimed that SPF was a cure-all for spam. All it aimed to do was make spammers stop forging their addresses. And it sounds like it's succeeding.

The only way to stop spam is so simple

We need SMTP whitelisting. It is the ONLY way. The SPF scheme kinda-sorta-maybe promised this idea in a mellow way that didn't seem invasive, but like all the other ineffective anti-spam measures, it has proven to be useless.

We need a responsible central authority to maintain an authoized SMTP relay whitelist - "outbound mail server licenses" per se.

This is the ONLY way. Mark my words. No other solution will EVER work. Anything that comes close is basically a veiled attempt at SMTP whitelisting.

If you want to send e-mail on the Internet, you need to be "licensed". A central authority determines the standards by which you are allowed to be "whitelisted" - other systems on the net can choose to use or not use the RBL/RWL. I for one, would use such a system if it were responsibly maintained.

This is so easy to set up. Take all the DUL IP space and instantly blacklist it, then blacklist based on reports, and then start to require "relay licensing" before you can be whitelisted. It WILL HAPPEN eventually. The question is, how bad do things have to get before this is adopted. It's not a question of "if" but "when". There is NO OTHER WAY. Not a single method has proven more reliable than using relay blacklists. Right now, 95% of spam can be reliably blocked without wasting bandwidth by using RBLs. A whitelist would be even more efficient. I challenge anyone to show me any better way to control spam. There is none.

For those of you reading this that don't understand the mail system, you need to understand one important thing. The spam problem could have been solved years ago. There is a very simple technical/organizational solution. Lobby your ISPs to adopt relay whitelisting and this problem will be gone. The only other method involves getting law enforcement to enforce the laws that spammers break, but I think it's easier for the industry to implement whitelisting than to try to get politicians to enforce the laws.

Want to know what works? Look at who Spammers hate

If you want to know what method works, look at what Spammers are doing. Look at which systems (i.e. osirisoft, spamcop, spamhaus) the spammers are attacking. They are almost exclusively launching attacks at the relay blacklists. This is because this is the one method by which they are SHUT DOWN. Forget legislation. Forget all the other efforts. RBLs work. The next generation is to go from relay blacklisting, to relay-whitelisting.

SPF is redundant and unneeded. Use IP and DNS.

If everybody on the internet stopped running 'hidden' SMTP mailservers and logged them properly with the DNS system, spam would effectively disappear from the internet. By only talking with fellow DNS-verified SMTP servers, you eliminate the bulk of email spam and malware that is spewed by (ususally) 'compromised Windows boxen' [isp-planet.com] and the 'chickenboner' [google.com] blasting out spam from a stolen/throwaway dialup account.

After that, to block, tag, and/or delete the remaing spam would require a comprehensive, multifaceted approach such as the one I came up with. [cf13.com]

I am 'eating my own dog food' [investopedia.com] and using my own software to filter out the junk sent to me at iamcf13@hotpop.com Recently, I got a reminder notice from a website I did business with quite a while back. I got the email because it contained no 'spammy' content. You see, spammers need 'spammy content' to hawk their wares--by filtering with that criteria in mind, it becomes (almost) impossible for spammers to communicate (and computer crackers to spread their malware). The ease of use and the connectivity of the internet via email is taken away from spammers. They can still spam but it will be effectively pointless as it is too inconvenient to 'decode' URLs and email addresses and type them into webbrowsers and email clients for further use--the ultimate aim of email spam laden with HTML, quoted printable content, %s, $s, numbers, URLs, and email addresses. As an added bonus, the computer crackers are silenced by filtering all malware out that come in the form of email attachments, or hostile HTML presented to HTML-aware email clients. By doing this, the spread of malware by email is minimized.

Since this post could be ultimately construed as spam, I offer these closing words:

Good ideas are not adopted automatically. They must be driven into practice with courageous patience.
-- Admiral Hyman G. Rickover [wikipedia.org]

Perhaps the greatest compliment paid to Admiral Rickover is the U. S. Navy submarine that bears his name [wikipedia.org]

When spammers publish, we win

Now that spammers are publishing SPF, it is going to be so much easier to track them down. At the very least, we will be able to deny accepting their email from the start.

Now that more and more email is being authenticated, we can start to say, "Ah, this domain claims responsibility for this email." Now that we can attach a responsible party to each email, we can hold them accountable. At the very least, their reputation as a spammer will be well-known. At the very best, their illegal spams will be detected by law enforcement, and the owner of the domain name will be caught. Oh, they don't have accurate records? Well then the registrar is going to be held accountable. Oh, did they use a stolen credit card to buy the domain? Oh, they bought hundreds or even thousands of domains? When they get caught, which they will, they will never see the outside world again.

This article is pure FUD, and is all wrong. When spammers publish SPF, we have won.

Some ideas

There are many people thinking how to block o avoid to receive spam ... I'm using a antivirus/antispam solution in-a-box called Astaro Security Linux (ASL - www.astaro.com) This solution has a good verification system that everyone should improve ... When an email arrives to the ASL, it can make a lookup for the domain name ... is the domain name exists, it can ask to the domain for the mailbox existence .. However, this technology needs the null-address capabilities turned on in the sender's domain .. It's a good idea too .. ---- I think that SPF and SID are good technologies too ... Another one solution could be the a small dialog between the sender and the destination email server .. When an email arrives to the destination email server, it's send a confirmation message, so, the sender must confirm this message ... The problem here, is the bandwith wasted and the increment of hardware resources uses ... ----- See ya in the Cyberspace ...

Sender ID looks dead to me

Despite being told on /. that MS license is perfectly reasonable and OK, Sender ID looks really dead to me. ASF has rejected it openly allready, and today, Debian followed suit. Courier and Exim folks have also been very clear about it, and while I haven't seen Sendmail folks being that explicit, I wonder if the mentioned implementation is going anywhere.

People have been trying very hard to get MS to understand the issues, but they doesn't seem to get it, and if they don't turn around soon, Sender ID can be buried.

Show me the money!

SID or SPF or SMTP are not designed to eliminate spam. Nor should they be!! When I lived in Washington State I had access to a state law that allowed me to bill spammers for up to $300 per incident for unsolicited email. When I took the time to bill the company being advertised (regardless of who sent the email) I stoped getting spam! True, I never collected a dime but then I really didn't want the money. I was amazed how fast the spam stopped. Within two weeks my daily count of unsolicited email went form >250 to <10. Within a month it was 0 and stayed there until almost a year after I moved to Massechusetts.

What if you could collect $5.00 from your ISP for every message you flagged as SPAM because they billed the advertiser $10.00? "Honey, we got the check from AOL... they're only sending us $45.00 this month!"

On the other hand, if you really want to block email based on the SID then just flag all messages with valid SIDs as spam.

Re:This surprises anyone?

You will be able to send "work email from home" if your company uses SMTP AUTH like it should (or webmail or SMTPS) if your ISP blocks outbound port 25.

Re:This surprises anyone?

So it'll be just like the RBLs we have now, only you won't be able to send work email from home?

SMTP AUTH over SSL/TLS to your work's mail server and you can send all the work e-mail from home you want.

Charles