<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Arial">There were requests at the antispam BoF that we
share our experinces and best practices. Here are my comments on Sender
Policy Framework.<br>
<br>
In a nutshell - SPF is a system whereby a domain administrator is able
to define a list of the servers designated to send mail for the domain.
The reason that this is neccessary is that the original SMTP protocol
has no way of verifying the MAIL-FROM header that is transmitted during
the SMTP transaction.<br>
<br>
There are two things that SPF is trying to mitigate:<br>
The forgery or spoofing of mail from trusted domain names like banks
and government organisations.<br>
And preventing spammers from diguising their mail as originating from
other domains.<br>
<br>
The first issue is obviously very important in terms of phishing
attacks and other kinds of fraud. And SPF has been successful in
preventing some of the phishing scams that have occurred around the
world.<br>
<br>
In the second case - I am experiencing more and more spam runs where
the spammers are targetting one domain name as the forged source of the
mail and then sending out thousands of mail. Although this does not
produce spam directly there are often thousands of messages that fail
to deliver and all the "message delivery failure" messages then get
sent to the forged domain. This can cause thousands of emails to arrive
at a mail server in a matter of minutes. This is a concern for African
operators due to the costs of bandwidth and it can force mail servers
into DoS.<br>
<br>
There are two aspects of SPF:<br>
The filtering of incoming mail. This requires patches or changes to the
configuration on many MTA's. On my MTA's SPF filtering currently
accounts for approximately 1% of the mail that is rejected by my server.<br>
<br>
The SPF setup for the sending side of the process simply involves
writting one extra record into the DNS zone of each domain. This is a
relatively quick and simple process (taking less than an hour in
general) and produces huge benefits for the amount of effort required.<br>
<br>
There are a number of large operators that have implemented SPF
(including gmail). Although there are also many servers that do not yet
filter based on SPF records, it has now reached a critical mass whereby
it is generally not viable for a spammer to spoof an SPF protected
domain. If a domain is being the subject of a spoofing attack and an
SPF record is implemented then the spoofing attacks very often subside
in less than 3 weeks.<br>
<br>
It is important however to note that SPF is not specifically a spam
prevention technique. There are spammers who are now registering
'throw-away' domains that they publish SPF records for and then use
these as the source address for their messages. SPF does however close
a major loophole in the SMTP specification and prevents abuse of the
mail system.<br>
<br>
More details can be found on the SPF website <a class="moz-txt-link-freetext" href="http://www.openspf.org">http://www.openspf.org</a><br>
<br>
I'd be happy to respond to questions or comments on the list.<br>
<br>
regards<br>
Graham Beneke<br>
</font>
</body>
</html>