I've been running a product called QURB (under Outlook Express) for 2-3 years
and am reasonably comfortable with its effectiveness at identifying spam
email messages. At some point QURB added support for something called SPF,
"Sender Policy Framework". SPF seemed pretty impressive at the time, but
I've begun to wonder whether it truly does that much good.

I've done a limited amount of research on SPF. My understanding is that SPF
depends upon the sender domain subscribing/registering with a list that
identifies certain attributes of the domain (beyond just the "name", but I'm
not sure exactly what information) that will enable an SPF implementation to
verify the claimed domain identity of the FROM email address.

The QURB implementation displays its SPF results for a given message as one
of three states: can't say for sure whether its the claimed domain; it
definitely IS from the claimed domain; it definitely IS NOT from the claimed
domain. I hardly ever get any messages that QURB reports as "definitely
IS..." or "definitely IS NOT".

Is there someone here who can shed light on the effectiveness of SPF in
general? Are there any of the "biggies" that use SPF -- paypal, ebay,
microsoft, the larger banking institutions?

TIA,

Phil

Thanks Norman, your reply sheds some additional light.

It still puzzles me why a site such as paypal, which seems always to be in
the spotlight regarding emails claiming, falsely, to originate from their
site, would not be eager to maintain SPF information for their domain. Most
of the emails I've gotten from paypal -- and these are ones that WERE NOT
phony -- are identified by QURB as "not verified".

Phil


"N. Miller" wrote:

On Wed, 16 Jan 2008 10:19:03 -0800, pwrichcreek wrote:

Is there someone here who can shed light on the effectiveness of SPF in
general? Are there any of the "biggies" that use SPF -- paypal, ebay,
microsoft, the larger banking institutions?

SPF is only of limited usefulness, hardly useful at all for detecting spam;
unless you operate on the assumption that only spammers are using SPF. And
spammers have really jumped on the SPF bandwagon.

The theory behind SPF is that the owner of a domain declares, through a DNS
"TXT" record, that only the IP addresses specified in that DNS record are
authorized to send email for that domain. Thus, if you receive email
purporting to be from that domain, but the source IP address is not in the
DNS record, it can be considered suspicious. But not all domains have SPF
records (more don't than do), not all SPF records are accurate, or current,
and many spammers have registered domains with an SPF record, so their spam
will pass a domain SPF check.

In conclusion, it really isn't terribly useful at identifying spam; DNSBLs
are, still, the most accurate check for the likeliness that any given email
is spam.

--
Norman
~Shine, bright morning light,
~now in the air the spring is coming.
~Sweet, blowing wind,
~singing down the hills and valleys.

"pwrichcreek" wrote in message
...
Thanks Norman, your reply sheds some additional light.

It still puzzles me why a site such as paypal, which seems always to be in
the spotlight regarding emails claiming, falsely, to originate from their
site, would not be eager to maintain SPF information for their domain.
Most
of the emails I've gotten from paypal -- and these are ones that WERE NOT
phony -- are identified by QURB as "not verified".

Phil


"N. Miller" wrote:

On Wed, 16 Jan 2008 10:19:03 -0800, pwrichcreek wrote:

Is there someone here who can shed light on the effectiveness of SPF in
general? Are there any of the "biggies" that use SPF -- paypal, ebay,
microsoft, the larger banking institutions?

SPF is only of limited usefulness, hardly useful at all for detecting
spam;
unless you operate on the assumption that only spammers are using SPF.
And
spammers have really jumped on the SPF bandwagon.

The theory behind SPF is that the owner of a domain declares, through a
DNS
"TXT" record, that only the IP addresses specified in that DNS record are
authorized to send email for that domain. Thus, if you receive email
purporting to be from that domain, but the source IP address is not in
the
DNS record, it can be considered suspicious. But not all domains have SPF
records (more don't than do), not all SPF records are accurate, or
current,
and many spammers have registered domains with an SPF record, so their
spam
will pass a domain SPF check.

In conclusion, it really isn't terribly useful at identifying spam;
DNSBLs
are, still, the most accurate check for the likeliness that any given
email
is spam.

--
Norman
~Shine, bright morning light,
~now in the air the spring is coming.
~Sweet, blowing wind,
~singing down the hills and valleys.