You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Dan Herbon <sp...@fbchomeloans.com> on 2006/12/14 16:18:54 UTC

RE: SPF is hopelessly broken and must die! LET THE THREAD DIE!

Can we just let this thread die already! No matter what how many times it's
stated that SPF isn't anti-spam technology, Marc will come back stating that
it is and it's broken and it sucks.

 

Just let it die! Please! I keep getting the feeling that as soon as the
thread is dead its purposely sparked back up with another pointless rant
that hasn't already been covered in this useless thread.

 

Can we get back to SpamAssassin threads! Please!

 

  _____  

From: Marc Perkel [mailto:marc@perkel.com] 
Sent: Thursday, December 14, 2006 10:07 AM
To: Matt Kettler
Cc: users@spamassassin.apache.org
Subject: Re: SPF is hopelessly broken and must die!

 



Matt Kettler wrote: 

Marc Perkel wrote:
  

>From openspf.org
 
http://old.openspf.org/aspen.html
 
    

Marc, this link is not describing SPF as an anti-spam technology. It's
describing how SPF can be coupled with an accreditation service to
create an anti-spam technology.
  

It was marketed as anti-spam. Now they are hiding from that because it's
useless in fighting spam.




 
Nobody's saying SPF has no use in anti-spam, it has some uses when
combined with the right tools. However, fundamentally, SPF by itself is
not an anti-spam technology. Any spam control resulting from using SPF
by itself is purely due to careless and/or clueless spammers who could
easily avoid being blocked by SPF.
 
  

I'm saying it has no use in anti-spam because you have to give up email
forwarding to make it work.




SPF is useful for:
 
1) Forgery control - most notably in social engineering attacks,
phishing and viruses.
  

Not really - because it treats forwarded emails that come from servers that
don't user SRS (normal forwards) as forgeries.



 
2) Whitelisting - Using SPF to verify the proper servers for an
otherwise domain-based whitelist is a potent tool for domains you trust.
Compared with simple from-domain based whitelisting it resists forgery.
Compared to from-domain + IP or RDNS domain SPF whitelisting allows your
whitelist to automatically adapt to changes in their networks, while
still offering equal forgery resistance.
  

Since spammers can just as easily used SPF on their domains they can
whitelist themselves if you use SPF for whitelisting.




 
3) Squashing purely stupid spammers. They can easily avoid it, but some
spammers can't help themselves. (Just like the ones who keep using your
own servername as a HELO. This is trivial to filter on, trivial to
modify a spam tool to avoid the filter, yet so many spammers still do it.)
  

That has nothing to do with SPF. I'm doing that now with a simple Exim rule.




 
SPF may be useful in spam control, but it's not a particularly powerful
anti-spam tool, nor is spam control SPF's best feature/application.
  

I'm still waiting for anyone to describe any used for SPF that doesn't
create false positives on normal email forwarding or allow spammers to
whitelist themselves by using correct SPF to send spams.




 
Unfortunately, many proponents of SPF like to hawk #3 like it's the
primary point of SPF. Personally I view this as over-hyping the
technology in an attempt to gain press and improve adoption.
 
(And before you jump on them for such things, at least be self-aware
enough to realize you're one of the strongest over-sensationalists on
the entire Internet that is not employed by Microsoft, SCO, or a
spammer. Over-sensationalizing isn't always a bad thing, sometimes it is
a means to an end. Sometimes your bold over-hype is a catalyst for
discussion that results in useful ideas. Their over-hype might get folks
to adopt a useful technology, even if they end up later discovering it's
more useful for other things.)
  


But SPF is not a means to an end. It was a worthy attempt but it failed. The
basic concept is flawed because it relies on the whole world adopting SRS to
be at least not broken and even then it doesn't really do anything
significant. And the reality is that the world is not going to implement SRS
for the marginal benefits of SPF. 

What we need is a new technology that is compatible with existing systems
that actually works. SPF is sucking up attention when what they should do is
admit failure. Put the idea to death, and move on to something that actually
works. 

I've had a lot of ideas in the past that have gone no where and when I
figure out that I'm on the wrong track I give it up and try something else.
SPF was a good attempt. I spent a lot of time fooling with it to come up
with anything that would be at least marginally useful and it's just an idea
that's not going anywhere. 

It's being kept alive artificially. They themselves knows that it's broken
because they are now running away for the spam solution label that way Bush
is running away from "mission acomplished". I say it's time to pull the
feeding tube and let SPF die. It was a nobel cause but it just plain doesn't
work and it's time to move on to something that does.