W3C home > Mailing lists > Public > public-usable-authentication@w3.org > June 2006

Re: Why SPF and DK are not being used

From: Chris Drake <christopher@pobox.com>
Date: Sat, 17 Jun 2006 14:49:41 +1000
Message-ID: <1763353892.20060617144941@pobox.com>
To: "James A. Donald" <jamesd@echeque.com>
CC: practicalsecurity@hbarel.com, public-usable-authentication@w3.org

Hi James,

SpamAssassin is probably the most widespread filter deployed, and it
uses SPF for sure (probably DK too I think).  The two most effective
commercial solutions (Brightmail and the other one - I forget it's
name right now) both feed from SPF information as well - so even
though you might *think* nobody's using SPF - in reality - almost
everyone is using it, as part of their spam scoring systems.

You're not wrong though - all authentication schemes are being
actively avoided by every responsible ISP, because when they activate
these schemes - they find they they are preventing their own customers
from being able to get emails through to recipients.  If an ISPs
customer wants to sned an email form their own address when not
using the ISP's mail server - it's going to get rejected if the ISP
has SPF etc in place (unless the customer knows how to use SRS).  As a
responsible ISP - ensuring your own customer emails reach their target
is a much higher priority than helping to stop random strangers who
are not your customers from receiving spam that forged the ISPs
domain.  Why would anyone in their right mind do harm to their
*customers* in order to help **strangers**???   THAT's the reason none
of this stuff is widely deployed - it's got little to do with filter

Spammers made email annoying.  Anti-Spammers have made email
unreliable.  The latter have done significantly more harm than the

Kind Regards,
Chris Drake

Saturday, June 17, 2006, 1:34:02 PM, you wrote:

JAD>      --
JAD> Why SPF and DK are not being used:

JAD> Obviously, domains have no incentive to use SPF and/or
JAD> DK unless email recipients filter on SPF and DK

JAD> But users do not.

JAD> Largely because they cannot.  There are no filter tools
JAD> that make good use of SPF and DK information.  There are
JAD> filter tools, but they are research demonstrations,
JAD> rather than actually useful in reducing the spam in my
JAD> inbox.

JAD> What the filter should do, is as part of Bayesian
JAD> filtering, observe that some messages get marked as
JAD> spam, and others as ham, and conclude that if some mail
JAD> that provably arrives from certain domains is ham, all
JAD> mail that provably arrives from those domains is
JAD> probably ham, generating a list of known good domains
JAD> which it then uses to guess which emails are ham.   It
JAD> should also observe what domains usually provide
JAD> evidence that email came from the domain it appeared to
JAD> come from, and conclude that email without such
JAD> evidence, purportedly coming from a domain that usually
JAD> provides such evidence, is probably forged, therefore
JAD> probably spam.  SPF and DK information needs to be
JAD> integrated with all other available information for
JAD> filtering mail.

JAD> The widespread deployment of such filters would give
JAD> mail server administrators reason to support SPF and DK.
JAD> They would DK their outgoing mail in order to get their
JAD> domain on the known good list. At present they have no
JAD> such incentive, and so are not supporting SPF or DK.

JAD>      --digsig
JAD>           James A. Donald
JAD>       6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
JAD>       CAbCqOSgym8Up02XNnb1alzFW4VBYsBpa/7xjkfS
JAD>       4pjb+C/KVowMqXdI49IgPIpZ4kB3ulWsslp3qz+jm
Received on Saturday, 17 June 2006 04:49:57 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:15 UTC