On Wed, 2005-05-18 at 16:08 +0200, Andre Oppermann wrote:
Juerg Reimann wrote:
To whom it may concern...
I've run a little test whether Swiss ISPs use SPF or not and it turned out that very few have actually implemented it (actually, I found not a single one). Is there a reason for that? It's a very simple implementation and it could prevent a lot of damage like the most recent one after Sober.Q.
SPF is broken by design.
URL/ref/explaination/fulltext/elaborate?
It indeed does not stop spam, it does (partially) stop faking your source email domain, which could partially stop virus spreads, but that would require that a large (>75%) of the global is using it. No check somewhere -> does not work.
I personally would like to see every SMTP box checking that mails are signed per PGP, but that implies other problems too I guess... deployment is the first thing and that other thing called PKI seems to be a long long way on the road to oblivion too.
I would suggest ISPs should implement SPF quickly and talk to their customers about it. (See http://spf.pobox.com/ for further information.)
How about you start with your domain and your users first and then report back how it went and what problems you encountered? Lead us the way!
Well, there is a SPFv1 record on his domain: jworld.ch TXT "v=spf1 ip4:66.150.163.128/26 ip4:82.195.224.240 ~all"
But that ends in a ~all, thus basically the last Sober.Q runs (I assume he means that german propaganda crap of the last couple of days) would not have been 'stopped' because of the above. The "~all" would simply mean a softfail, thus the box will accept it, though maybe some spamcheck engine might choose to add some points to the spamscore because of it.
The point why I don't have SPF stuff on my domains is simple: IPv6 is not supported well enough, read: it is defined ambiguously and most likely the few boxes that have SPF checking installed won't understand the ip6 directive, thus when sending mail from a domain with the ip6 directive and -all, mail is most likely to end up in nothingness, which is not what one wants, and ~all is simply not adequate.
If the above concern would be gone, which will take quite some time, I might add it, as it would save getting my addy used to spam a large number of the ISP's who do check it. Getting those bounces is just a bit annoying even if they end up in the spam folder.
Greets, Jeroen