Thus spake R.A. Hettinga (rah@shipwright.com) [11/11/04 16:29]: : Several executives and academics speaking at a forum sponsored by the : Federal Trade Commission said criminals are already steps ahead of a major : initiative by e-mail providers to counter those problems by creating a : system to verify senders of e-mail. : : In theory, such an authentication system would make it harder for spammers : to disguise their identities and locations in an attempt to avoid being : shut down or prosecuted. (Having watched the IETF group for a while, and spent much time fighting spam...) No person who is pushing for SPF believes that it will reduce the volume of spam.[1] What SPF *does* do is make it easier to track it down -- the From address will actually match the domain it was sent from. This makes the Abuse department's job *much* easier, as in theory, any spam complaint you receive about your domain will be *from* your domain. While this doesn't always mean you have a spammer in your midst, it /does/ mean that the piece of mail in question /did/ come from your networks, hence it is something you can track down without worry about wasting time that would be better spent elsewhere. Arguably, this doesn't gain the anti-spam fighters anything, as the spam still comes from somewhere. But if you lay out the seriousness of the problem to your subscriber, the chances of a repeat offense (which, ideally, would result in account termination) drop to very close to zero. This is also something that ISPs can combat internally, such as forcing SMTP authentication (which, granted, opens up a whole other bucket of worms), not allowing outbound SMTP connections (unless explicitly granted), or having only a web interface to e-mail (thus blocking all outbound SMTP connects, even to their own mail servers, period). The 'criminals' aren't necessarily 'steps ahead' -- they're just working within the SPF framework, and doing exactly what SPF wanted them to do. SPF is *one* step towards limiting the volume of spam, but it in and of itself does not. There are a great number of other tools that, when combined with SPF, can and do make a difference in the spam volume being sent. Yes, each tool has drawbacks, and I'm not going to claim otherwise. But for the 95th percentile, they won't really notice a difference. Until their account is cut off, that is. [1] Any person who claims otherwise just plain doesn't understand SPF or its goals. Unfortunately, a few people have claimed that SPF will cut down on the spam volume, and this take was snapped up by the media and subsequently pushed out as the primary goal of SPF. It is, AFAIK, generally agreed that to cut down on spam volume, we need a whole different protocol from SMTP.