You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Marc Perkel <ma...@perkel.com> on 2006/12/13 15:21:40 UTC
SPF is hopelessly broken and must die!
Phil Barnett wrote:
> On Tuesday 12 December 2006 07:28, JamesDR wrote:
>
>>> There is nothing in SPF to keep a spammer with a botnet from putting
>>> 0.0.0.0/0 as their approved domain limit.
>>>
>> Sounds like a good spam sign to me. Let the spammers put 0.0.0.0/0 in
>> their spf records, I'll pop in 3 points for good measure.
>>
>
> But, you are making some assumptions at this point and that is the crux of why
> SPF can't work very well.
>
> Say you give points for that one. So, where do you draw the line. Do you give
> points for (for example) 123.0.0.0/8? What if that is someone's legitimate
> domain space?
>
> Bot masters can easily set up SPF addresses that will encompass giant subnets
> of bots. You'll never know where to draw the line.
>
>
Agreed Phil
True - SPF his hopelessly broken and must die.
Repeat after me SPF breaks email forwarding. SRS breaks the ability to
do conditionals based on the true from address. SPF blocks no spam but
it does create false positives on legitimate email. It's a technology
that has no up side at all and a severe down side.
Re: SPF is hopelessly broken and must die!
Posted by Mathias Homann <Ma...@eregion.de>.
Am Donnerstag, 14. Dezember 2006 03:53 schrieb Matt Kettler:
> > Yep - they are using "normal" email technology.
>
> No they're not. They're falsifying mail headers. Something last I
> checked was actually illegal in the united states under CAN-SPAM.
and a russian criminal sitting in litavia, using his botnet spread all
over the world to send out spams which advertize illegal drugs (ask
pfizer) cares about can-spam?
face it, there is small impact in anti-spam laws, unless you go
against the advertizing companies themself instead of the spammers.
bye,
MH
--
gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD
763C
Re: SPF is hopelessly broken and must die!
Posted by Kris Deugau <kd...@vianet.ca>.
Marc Perkel wrote:
>>> SPF blocks no spam but
>>> it does create false positives on legitimate email.
Well, so does any other method of trying to decide if a message is legit
or not. If I work for $company, and $company publishes a restrictive
SPF record, then (presuming the sysadmin is competent) a decision has
been made as to where $company email may originate. I can either
cooperate and send email as designated, or take the risk that my email
does not meet company policy (and therefore may get tagged as spam by my
intended recipient).
For an ISP, I agree that SPF is of very limited use. IMO setting up TLS
and SMTP-AUTH is a *very* small price to pay - once - to enforce company
or personal policies on company or personal email domains respectively.
> It's anti spam technology.
Erm, maybe we're getting into a semantic debate on this point, but SPF,
in and of itself, is not an antispam technology. It's not much use in
positively identifying any great volume of spam except for the
occasional idiot spammer that uses an SMTP sender address from a domain
that has a very restrictive SPF record.
It *is* intended to allow domain owners to specify which systems are
allowed to generate new SMTP traffic using their domain as the SMTP
sender - AKA an anitforgery technology.
> The reason people use it is because spammers
> are forging email addresses.
Hrm. I don't see much of that any more (maybe someone else can point
out some hard numbers?); with cheap throwaway domains it's easy enough
to just use those, and bypass SPF by either not publishing a record, or
publishing a very open SPF record.
> Matt Kettler wrote:
>> That said, your comment about blocking no spam is pure horsehockey. I
>> have plenty of spam matching SPF_FAIL and SPF_SOFTFAIL.
>>
>> I've also have had no FPs from SPF, except websites like hire.net that
>> insist upon forging my domain as the envelope sender when generating
>> emails to my HR staff. Actually, MAIL FROM, RCPT TO, From: and To: are
>> all identical. Brilliant.
>>
> Yep - they are using "normal" email technology.
Er, no; it means that if $thirdpartysite can't deliver a message on my
behalf, *I* get the bounce. This Is Bad. Particularly if it's *my*
receiving server that's temporarily unavailable - the real sender
($thirdpartysender) won't know that I haven't received their message.
Or $thirdpartysender won't be able to send word back to whoever
contacted me through their website that I haven't received the message.
> That's supposed to work.
Er, no; it's just a consequence of SMTP's origins and the changing
Internet landscape. In "The Old Days" (AKA more than about 15 years
ago), spam was rare (never mind spam sent via forged sender).
Anyone that sends email on my behalf, using *my* email address as the
SMTP sender, is someone I'm likely to quit doing business with. In an
extreme case I may decide to drop their SMTP server's IP in my firewall.
> That's what SPF breaks. It also breaks email forwarding.
>
>> And SRS does not break the ability to do conditionals, because the true
>> envelope from address is still a part of the rewritten envelope from.
>> You just need to make your conditionals match the SRS version.
> You have to rewrite all your conditionals to support the broken technology.
Well, yes, any time the technology changes anything that relies on it
has to change. This is new and unusually problematic how, exactly?
(Email transport has not changed significantly in *how* many years now?)
There comes a point where maintaining complete backwards compatibility
is what's *causing* most of the trouble in the first place.
(FWIW, I've yet to understand the delight people take in forwarding mail
all over the place; even without SPF, mail forwarding is prone to
painful and ugly failures. Set up multiple POP accounts feeding a
single inbox and be done with it. IIRC there was one customer here
whose forward destination got truly *horribly* misconfigured for a day
or two, creating 5 or 6-hop mail loops. Mail Loops Are Bad.)
-kgd
Re: SPF is hopelessly broken and must die!
Posted by John Rudd <jr...@ucsc.edu>.
Gino Cerullo wrote:
> On 13-Dec-06, at 12:53 PM, Marc Perkel wrote:
>> Yep - they are using "normal" email technology. That's supposed to
>> work. That's what SPF breaks. It also breaks email forwarding.
>
> I prefer to say "email forwarding breaks SPF" but that's just semantics.
>
> The truth of the matter is that email forwarding makes up less than
> 0.001% of all email so, when it happens its an minute annoyance at best
> since the sender is made aware of the forwarded address and the message
> can be re-sent.
What percentage of email is forwarded is going to be highly site
specific. For example, at my site, it's very much heavier than .001%,
which means problems caused by SPF and interfering with forwarding
become more than "minute annoyances".
Re: SPF is hopelessly broken and must die!
Posted by Gino Cerullo <gc...@pixelpointstudios.com>.
On 13-Dec-06, at 12:53 PM, Marc Perkel wrote:
>> Mark, SPF isn't an anti-spam technology. Anyone who says it is, is an
>> imbecile. SPF is an anti-forgery technology. Those who continue to
>> think
>> of SPF purely as a spam control technology are doomed to be
>> disappointed
>> and/or endlessly make posts like "SPF can be evaded by spammers, they
>> just publish their own SPF". Duh.
>>
> It's anti spam technology. The reason people use it is because
> spammers are forging email addresses.
Just because YOU say it, doesn't make it so. Everybody who
understands SPF knows what it is.
>> That said, your comment about blocking no spam is pure horsehockey. I
>> have plenty of spam matching SPF_FAIL and SPF_SOFTFAIL.
>>
>> I've also have had no FPs from SPF, except websites like hire.net
>> that
>> insist upon forging my domain as the envelope sender when generating
>> emails to my HR staff. Actually, MAIL FROM, RCPT TO, From: and To:
>> are
>> all identical. Brilliant.
>>
> Yep - they are using "normal" email technology. That's supposed to
> work. That's what SPF breaks. It also breaks email forwarding.
I prefer to say "email forwarding breaks SPF" but that's just semantics.
The truth of the matter is that email forwarding makes up less than
0.001% of all email so, when it happens its an minute annoyance at
best since the sender is made aware of the forwarded address and the
message can be re-sent.
>> And SRS does not break the ability to do conditionals, because the
>> true
>> envelope from address is still a part of the rewritten envelope from.
>> You just need to make your conditionals match the SRS version.
> You have to rewrite all your conditionals to support the broken
> technology.
--
Gino Cerullo
Pixel Point Studios
21 Chesham Drive
Toronto, ON M3M 1W6
416-247-7740
This email address protect by SPF! Want to protect your domain's
email from forgery? Visit openspf.org
Re: SPF is hopelessly broken and must die!
Posted by Matt Kettler <mk...@verizon.net>.
Marc Perkel wrote:
>
>
> Matt Kettler wrote:
>>
>> Mark, SPF isn't an anti-spam technology. Anyone who says it is, is an
>> imbecile. SPF is an anti-forgery technology. Those who continue to think
>> of SPF purely as a spam control technology are doomed to be disappointed
>> and/or endlessly make posts like "SPF can be evaded by spammers, they
>> just publish their own SPF". Duh.
>>
> It's anti spam technology. The reason people use it is because
> spammers are forging email addresses.
No, it's an anti-forgery technology that people use because spammers are
forging email addresses.
It is an anti-forgery technology that has relevance to spam control, but
this does not change the basic fact that it is NOT an anti-spam
technology. It is anti-forgery. Period. Again, anyone who thinks
otherwise is doomed to be disapointed because they missed the actual
point of SPF.
Let's face it, the fact that SPF currently works as a spam control
method is purely a byproduct of spammer's current habits.
Spammers can simply adapt and start using their own domains to send
from. Fortunately, that would make doing things like RBL'ing on the
domain in the From: address practical. However, again, that's a
byproduct. In the long run, SPF looses any value as an anti-spam
technology, but does create a new one as a spinoff.
In the long term, SPF has by far more implications on phishing, viruses,
and other things that are dependent on forgery for social engineering
reasons.
>> That said, your comment about blocking no spam is pure horsehockey. I
>> have plenty of spam matching SPF_FAIL and SPF_SOFTFAIL.
>>
>> I've also have had no FPs from SPF, except websites like hire.net that
>> insist upon forging my domain as the envelope sender when generating
>> emails to my HR staff. Actually, MAIL FROM, RCPT TO, From: and To: are
>> all identical. Brilliant.
>>
> Yep - they are using "normal" email technology.
No they're not. They're falsifying mail headers. Something last I
checked was actually illegal in the united states under CAN-SPAM.
> That's supposed to work. That's what SPF breaks.
Good.
> It also breaks email forwarding.
No it doesn't.. besides, mail forwarding is a "broken by design" technology.
>
>> And SRS does not break the ability to do conditionals, because the true
>> envelope from address is still a part of the rewritten envelope from.
>> You just need to make your conditionals match the SRS version.
>>
>>
>>
>
> You have to rewrite all your conditionals to support the broken
> technology.
No, you have to rewrite all your conditionals to support the fix for the
broken technology of mail forwarding.
Re: SPF is hopelessly broken and must die!
Posted by Marc Perkel <ma...@perkel.com>.
Matt Kettler wrote:
> Marc Perkel wrote:
>
>>
>>
>>>
>>>
>> Agreed Phil
>>
>> True - SPF his hopelessly broken and must die.
>>
>> Repeat after me SPF breaks email forwarding. SRS breaks the ability to
>> do conditionals based on the true from address. SPF blocks no spam but
>> it does create false positives on legitimate email. It's a technology
>> that has no up side at all and a severe down side.
>>
>
> Mark, SPF isn't an anti-spam technology. Anyone who says it is, is an
> imbecile. SPF is an anti-forgery technology. Those who continue to think
> of SPF purely as a spam control technology are doomed to be disappointed
> and/or endlessly make posts like "SPF can be evaded by spammers, they
> just publish their own SPF". Duh.
>
It's anti spam technology. The reason people use it is because spammers
are forging email addresses.
> That said, your comment about blocking no spam is pure horsehockey. I
> have plenty of spam matching SPF_FAIL and SPF_SOFTFAIL.
>
> I've also have had no FPs from SPF, except websites like hire.net that
> insist upon forging my domain as the envelope sender when generating
> emails to my HR staff. Actually, MAIL FROM, RCPT TO, From: and To: are
> all identical. Brilliant.
>
Yep - they are using "normal" email technology. That's supposed to work.
That's what SPF breaks. It also breaks email forwarding.
> And SRS does not break the ability to do conditionals, because the true
> envelope from address is still a part of the rewritten envelope from.
> You just need to make your conditionals match the SRS version.
>
>
>
You have to rewrite all your conditionals to support the broken technology.
Re: SPF is hopelessly broken and must die!
Posted by Matt Kettler <mk...@verizon.net>.
Marc Perkel wrote:
>
>>
> Agreed Phil
>
> True - SPF his hopelessly broken and must die.
>
> Repeat after me SPF breaks email forwarding. SRS breaks the ability to
> do conditionals based on the true from address. SPF blocks no spam but
> it does create false positives on legitimate email. It's a technology
> that has no up side at all and a severe down side.
Mark, SPF isn't an anti-spam technology. Anyone who says it is, is an
imbecile. SPF is an anti-forgery technology. Those who continue to think
of SPF purely as a spam control technology are doomed to be disappointed
and/or endlessly make posts like "SPF can be evaded by spammers, they
just publish their own SPF". Duh.
That said, your comment about blocking no spam is pure horsehockey. I
have plenty of spam matching SPF_FAIL and SPF_SOFTFAIL.
I've also have had no FPs from SPF, except websites like hire.net that
insist upon forging my domain as the envelope sender when generating
emails to my HR staff. Actually, MAIL FROM, RCPT TO, From: and To: are
all identical. Brilliant.
And SRS does not break the ability to do conditionals, because the true
envelope from address is still a part of the rewritten envelope from.
You just need to make your conditionals match the SRS version.
Re: SPF is hopelessly broken and must die!
Posted by Gino Cerullo <gc...@pixelpointstudios.com>.
On 13-Dec-06, at 1:15 PM, Marc Perkel wrote:
> robb@unrealstyle.com wrote:
>> Sounds good,
>>
>> I found this an interesting read about why SPF is ineffective:
>>
>> http://en.hakin9.org/products/articleInfo/102
>>
>
> Excellent article.
>
> SPF catches no spam - but does create false positives. It's less
> than useless. It's dangerous.
That article, at best, disseminates incomplete and outdated
information and at worst, completely false statements.
"Why SPF is bad"
"SPF is supposed to protect against sender address forgery. It
protects only the envelope sender address, not the From: header
address. Mail User Agents such as Outlook Express display only the
unprotected address. Therefore the users are still fooled and
unprotected against joe-jobs, forgery, phishing and various scams."
SPF wasn't designed with MUA in mind. It was designed for use at the
MTA level to block email before DATA. What's the use of accepting
the email only to have the MUA query DNS to determine if it passes
SPF checks. To that end there is nothing stopping the developers of
MUAs from incorporating that functionality in the MUA and flagging
messages based on SPF. The recipient does not need to see the
'envelope sender' address.
"SPF is supposed to protect against spam. A 2004 CipherTrust survey
shows that more mail comes to SPF-protected servers from domains with
SPF records, than from domains with no such records. Spammers have
adopted SPF and are using it even more than legitimate sites to
ensure spam delivery to mailbox."
Citing a study that is over two years old, that was published when
the first stable draft of the SPF spec was only months old is hardly
evidence of a greater trend in regard to the deployment of the
protocol. In my own actual experience, after running an SPF aware
mailer server for a year less than 1 in 100 000 emails have scored an
SPF PASS and been spam.
"SPF breaks many Internet standards. It does not take into
consideration pre-delivery forwarding (and a scheme called SRS
adopted to counteract this is far from perfect). It is based on a
vulnerable protocol (DNS), which makes it easy to spoof SPF records."
Email forwarding is not a standard, it is a feature; used by less
than 0.01% of email users. As well the resulting bounce email informs
the sender of the address that is being forwarded to so the sender
merely has to resend the message. Yes the Internet is built on an
fragile infrastructure that does not take into account the realities
we face today. So we adapt! That is what SPF is all about, adapting
to the realities of today. Also, the DNS protocol is not as
vulnerable as the author makes it out to be, otherwise the Internet
wouldn't be useable at all.
Listen, I can go on and on about that article but you get the point.
It goes on to propose inappropriate uses for SPF and then uses that
to justify why the protocol is flawed. It proposes scenarios that
have no bases in fact and uses those to try and prove the
ineffectiveness of the protocol. Just because someone writes an
article, one lacking any real evidence and citing an ancient study,
doesn't make it true.
--
Gino Cerullo
Pixel Point Studios
21 Chesham Drive
Toronto, ON M3M 1W6
416-247-7740
This email address protect by SPF! Want to protect your domain's
email from forgery? Visit openspf.org
Re: SPF is hopelessly broken and must die!
Posted by Robert Blayzor <rb...@inoc.net>.
Marc Perkel wrote:
> SPF catches no spam - but does create false positives. It's less than
> useless. It's dangerous.
SPF's job is not to catch spam, period! No matter how many times you
claim it's supposed to "catch spam", you could never be more wrong.
It's sole purpose is to allow domain owners to publish valid mail
sources for their domains. That's it's *only* purpose. How and what
you decide to do with that published information from the TXT records is
totally up to the receiver.
--
Robert Blayzor, BOFH
INOC, LLC
rblayzor\@(inoc.net|gmail.com)
PGP: 0x66F90BFC @ http://pgp.mit.edu
Key fingerprint = 6296 F715 038B 44C1 2720 292A 8580 500E 66F9 0BFC
State-of-the-art: What we could do with enough money.
Re: SPF is hopelessly broken and must die!
Posted by Marc Perkel <ma...@perkel.com>.
robb@unrealstyle.com wrote:
> Sounds good,
>
> I found this an interesting read about why SPF is ineffective:
>
> http://en.hakin9.org/products/articleInfo/102
>
Excellent article.
SPF catches no spam - but does create false positives. It's less than
useless. It's dangerous.
Re: SPF is hopelessly broken and must die!
Posted by ro...@unrealstyle.com.
Sounds good,
I found this an interesting read about why SPF is ineffective:
http://en.hakin9.org/products/articleInfo/102
Quoting Kelson <ke...@speed.net>:
> Resending this since I originally sent it from a misconfigured client
> (forgot to enable SMTP-AUTH, but POP-before-SMTP let it through) and
> got labeled as spam by my own server...
>
> Repeat after me: SPF is not an anti-spam solution. It is an address
> validation solution.
>
> If a spammer puts 0.0.0.0/0 in his SPF record, or creates one that
> covers an entire botnet, great! When you get that spam, you know with
> 100% certainty that it really came from spammersdomain.com, and you can
> feel safe in blacklisting that domain.
>
> Similarly, if a legit domain sets up a tight enough SPF record, you can
> whitelist the combination of that domain with an SPF pass (i.e. SA's
> whitelist_from_spf).
>
> Don't think of SPF as a magic bullet. Think of it as one more piece of
> evidence you can use for building your case.
>
> From that standpoint, there's nothing wrong with setting up rules based
> on the breadth of an SPF record. Just treat them like any other SA
> rule, like whether the From: line has a name, or whether the subject is
> missing vowels, etc. Some legit mail is HTML (sorry, it's true). Some
> legit mail has no name in the From line. Some legit mail even consists
> of a mostly-numeric sender with no name, an image attachment, and not
> much else. (Ever seen someone send an image from a camera phone to an
> email address?) But we still use rules that track those traits
> because, when combined with other rules and a balanced score set, they
> help classify mail.
>
> --
> Kelson Vibber
> SpeedGate Communications <www.speed.net>
Re: SPF is hopelessly broken and must die!
Posted by Kelson <ke...@speed.net>.
Resending this since I originally sent it from a misconfigured client
(forgot to enable SMTP-AUTH, but POP-before-SMTP let it through) and got
labeled as spam by my own server...
Repeat after me: SPF is not an anti-spam solution. It is an address
validation solution.
If a spammer puts 0.0.0.0/0 in his SPF record, or creates one that
covers an entire botnet, great! When you get that spam, you know with
100% certainty that it really came from spammersdomain.com, and you can
feel safe in blacklisting that domain.
Similarly, if a legit domain sets up a tight enough SPF record, you can
whitelist the combination of that domain with an SPF pass (i.e. SA's
whitelist_from_spf).
Don't think of SPF as a magic bullet. Think of it as one more piece of
evidence you can use for building your case.
From that standpoint, there's nothing wrong with setting up rules based
on the breadth of an SPF record. Just treat them like any other SA
rule, like whether the From: line has a name, or whether the subject is
missing vowels, etc. Some legit mail is HTML (sorry, it's true). Some
legit mail has no name in the From line. Some legit mail even consists
of a mostly-numeric sender with no name, an image attachment, and not
much else. (Ever seen someone send an image from a camera phone to an
email address?) But we still use rules that track those traits because,
when combined with other rules and a balanced score set, they help
classify mail.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: SPF is hopelessly broken and must die!
Posted by j o a r <jo...@joar.com>.
On 13 dec 2006, at 15.21, Marc Perkel wrote:
> True - SPF his hopelessly broken and must die.
Not so. It does exactly what it sets out to do. That it allows you to
specify that messages for fraud.com can be sent from any IP-address,
doesn't change the fact that it's a very concrete advantage to be
able to know that a message from mybank.com actually is from MyBank,
and no one else.
Note that SP in SPF stands for "Sender Policy" - The sender (domain
owner) sets the policy, and only the sender is affected. Receivers
should respect the sender policy - Why shouldn't they? - but if they
don't want to, they're free to ignore it.
> Repeat after me SPF breaks email forwarding.
You claim that SPF is broken, but think that classic, "dumb", email
forwarding isn't?
How would you stop forgeries and still allow classic email
forwarding? What is the biggest problem: Allowing forgeries, or
breaking forwarding? Before you answer, consider that it's up to the
domain owner to decide, so you can have it either way. How can this
be a problem?
I use SPF primarily because it allows me to prevent and detect
forgeries for my own domains. I'm not going to allow forwarding, as
long as it creates a loop hole for forgeries. Simple as that. I've
had zero complaints from my users.
j o a r
Re: SPF is hopelessly broken and must die!
Posted by Gino Cerullo <gc...@pixelpointstudios.com>.
What many of you fail to realize is that although SPF was originally
envisioned as an anti-spam tool, because it dealt with a major
characteristic of spam, address forgery, it is in fact a domain
verification tool.
With that in mind, it becomes irrelevant whether spammers publish SPF
policies or not; or if they do, that it covers the entire range of IP
addresses on the planet.
Why?
Because, if every *legitimate* domain owner published an SPF policy
for their domain and every mail server was SPF aware, it becomes
trivial to identify the bad domains and they become that much easier
to deal with.
By publishing an SPF policy for your domain you prevent your domain
from being abused.
Of course this requires the co-operation of everyone and we're not
there yet. Every legitimate domain does not have an SPF policy and
every mail server is not SPF aware but we're getting there.
Now some of you bring up the case of DDOS attacks caused by
backscatter. Listen, there is no profit in DDOS attacks. Spammers
don't make money by taking down mail servers and those interested in
using DDOS attacks to disrupt networks already have enough tools at
their disposal, one more isn't going to make much of a difference in
the grand scheme of things. Spammers only make money if they sell
something.
For those of you who keep harping on the "SPF breaks forwarding"
issue (Marc). When I say "SPF aware mail servers," I mean mailer
servers that support SRS so that becomes a non issue. But, let's look
at the present situation we are faced with even today where most mail
servers don't support SRS. Even when you send an email to someone who
has forwarded their email and it is later bounced, you're made aware
of the email address that the original is being forwarded to so you
can just resend the message to the other address. Since this probably
affects about 0.01% of all email, I've only ever experienced it once
myself, it's only a minute annoyance.
From a Spamassassin point of view, SPF is very effect at assisting
in what Spamassassin is designed to do. Evaluate email based on the
characteristics of the contents of its header as well as the contents
of its body. It the case of the header, SPF is very effect at
contributing to the score of as well as for whitelisting purposes.
For the record, in the one year that my email server has been SPF
aware I've only ever seen one (1) junk email with an SPF PASS. That
is about 0.001% of the total email that has been sent to my server.
On the other hand, about 10% of legitimate email sent to my server
are verified with an SPF PASS (and it's growing all the time) and
I've never had a false positive, no legitimate email has been blocked
as a result of SPF.
Marc, if you really have legitimate concerns about SPF, why don't you
take them to the SPF Discuss mailing list where they belong. If they
are in fact legitimate, then that's the place to discuss them.
To subscribe to the list send an email to subscribe-spf-
discuss@v2.listbox.com
--
Gino Cerullo
Pixel Point Studios
21 Chesham Drive
Toronto, ON M3M 1W6
416-247-7740
This email address protect by SPF! Want to protect your domain's
email from forgery? Visit openspf.org
RE: SPF is hopelessly broken and must die!
Posted by "Michele Neylon :: Blacknight" <mi...@blacknight.ie>.
Marc
While you may be entitled to your opinion some people may read this list's
archives and think that your _opinion_ were actually fact.
Your statement is obviously based on a complete misunderstanding of SPF -
what it's even got to do with the SA users list is another matter ...
Regards
Michele
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.ie/
http://blog.blacknight.ie/
Tel. 1850 927 280
Intl. +353 (0) 59 9183072
UK: 0870 163 0607
Direct Dial: +353 (0)59 9183090
Fax. +353 (0) 59 9164239