spf/SenderID will not prevent spam
|
Author | Content |
---|---|
tzafrir Sep 11, 2004 1:10 AM EDT |
Techniques like SPF can not prevent spam. They can help in proving that the sender address is not forged, though. This can be useful in a number of ways: 1. You got a message from your bank: you know it really came from your bank 2. No spammer can easily fake a spam as a bounce. Bouncing messages to "respectable" domains can once again become practical. This won't prevent a spammer from sending me a spam from spamdomain.com . but then-again, we can start blacklisting spam domains (rather than IPs). |
xiando Sep 11, 2004 4:10 AM EDT |
I personally like to use GnuPG to sign my messages in order to verify that I am, in fact, the one who wrote the message. I don't see the need for any other solution on doing this. In respect to preventing spam, such a method is useless unless it's implemented info all MTAs. If not, which is the case for SPF since nobody want that particular standard, it will only allow spammers to send through and prevent actual real mail. |
tzafrir Sep 11, 2004 5:14 AM EDT |
Do you sign each and every message you send? This is not such a good idea. Suppose I send you a message "is your name tzafrir?" and you reply to me with "no". Now I have the message "no" signed by you. I can forge a message from you saying "no", and it will have a valid signature. You see, pgp/gpg signs only the message body, not the message header. Specifically, it doesn't even sign the recipient name. If you sign many messages there is too large a chance that someone will be able to replay them to pretend it was you. Also remember that the mail server along the way has no reasonable way to verify that the gpg signature on the message is valid. |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!