|
|
Is SPF a useful methodology for identifying spam email?
I've been running a product called QURB (under Outlook Express) for 2-3 years
and am reasonably comfortable with its effectiveness at identifying spam email messages. At some point QURB added support for something called SPF, "Sender Policy Framework". SPF seemed pretty impressive at the time, but I've begun to wonder whether it truly does that much good. I've done a limited amount of research on SPF. My understanding is that SPF depends upon the sender domain subscribing/registering with a list that identifies certain attributes of the domain (beyond just the "name", but I'm not sure exactly what information) that will enable an SPF implementation to verify the claimed domain identity of the FROM email address. The QURB implementation displays its SPF results for a given message as one of three states: can't say for sure whether its the claimed domain; it definitely IS from the claimed domain; it definitely IS NOT from the claimed domain. I hardly ever get any messages that QURB reports as "definitely IS..." or "definitely IS NOT". Is there someone here who can shed light on the effectiveness of SPF in general? Are there any of the "biggies" that use SPF -- paypal, ebay, microsoft, the larger banking institutions? TIA, Phil |
Is SPF a useful methodology for identifying spam email?
Thanks Norman, your reply sheds some additional light.
It still puzzles me why a site such as paypal, which seems always to be in the spotlight regarding emails claiming, falsely, to originate from their site, would not be eager to maintain SPF information for their domain. Most of the emails I've gotten from paypal -- and these are ones that WERE NOT phony -- are identified by QURB as "not verified". Phil "N. Miller" wrote: On Wed, 16 Jan 2008 10:19:03 -0800, pwrichcreek wrote: Is there someone here who can shed light on the effectiveness of SPF in general? Are there any of the "biggies" that use SPF -- paypal, ebay, microsoft, the larger banking institutions? SPF is only of limited usefulness, hardly useful at all for detecting spam; unless you operate on the assumption that only spammers are using SPF. And spammers have really jumped on the SPF bandwagon. The theory behind SPF is that the owner of a domain declares, through a DNS "TXT" record, that only the IP addresses specified in that DNS record are authorized to send email for that domain. Thus, if you receive email purporting to be from that domain, but the source IP address is not in the DNS record, it can be considered suspicious. But not all domains have SPF records (more don't than do), not all SPF records are accurate, or current, and many spammers have registered domains with an SPF record, so their spam will pass a domain SPF check. In conclusion, it really isn't terribly useful at identifying spam; DNSBLs are, still, the most accurate check for the likeliness that any given email is spam. -- Norman ~Shine, bright morning light, ~now in the air the spring is coming. ~Sweet, blowing wind, ~singing down the hills and valleys. |
Is SPF a useful methodology for identifying spam email?
"pwrichcreek" wrote in message ... Thanks Norman, your reply sheds some additional light. It still puzzles me why a site such as paypal, which seems always to be in the spotlight regarding emails claiming, falsely, to originate from their site, would not be eager to maintain SPF information for their domain. Most of the emails I've gotten from paypal -- and these are ones that WERE NOT phony -- are identified by QURB as "not verified". Phil "N. Miller" wrote: On Wed, 16 Jan 2008 10:19:03 -0800, pwrichcreek wrote: Is there someone here who can shed light on the effectiveness of SPF in general? Are there any of the "biggies" that use SPF -- paypal, ebay, microsoft, the larger banking institutions? SPF is only of limited usefulness, hardly useful at all for detecting spam; unless you operate on the assumption that only spammers are using SPF. And spammers have really jumped on the SPF bandwagon. The theory behind SPF is that the owner of a domain declares, through a DNS "TXT" record, that only the IP addresses specified in that DNS record are authorized to send email for that domain. Thus, if you receive email purporting to be from that domain, but the source IP address is not in the DNS record, it can be considered suspicious. But not all domains have SPF records (more don't than do), not all SPF records are accurate, or current, and many spammers have registered domains with an SPF record, so their spam will pass a domain SPF check. In conclusion, it really isn't terribly useful at identifying spam; DNSBLs are, still, the most accurate check for the likeliness that any given is spam. -- Norman ~Shine, bright morning light, ~now in the air the spring is coming. ~Sweet, blowing wind, ~singing down the hills and valleys. |
| All times are GMT +1. The time now is 01:25 PM. |
Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.
Search Engine Friendly URLs by vBSEO 2.4.0
Copyright ©2004-2006 OutlookBanter.com