Re: [Asrg] SMTP pull anyone?

Ian Eiloart <> Mon, 17 August 2009 10:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E63773A681A for <>; Mon, 17 Aug 2009 03:05:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.392
X-Spam-Status: No, score=-1.392 tagged_above=-999 required=5 tests=[AWL=-1.207, BAYES_40=-0.185]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id decDNs0HU9K0 for <>; Mon, 17 Aug 2009 03:05:47 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D80233A672E for <>; Mon, 17 Aug 2009 03:05:46 -0700 (PDT)
Received: from ([]:49541) by with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.64) (envelope-from <>) id KOIMPK-0008UF-HX for; Mon, 17 Aug 2009 11:05:44 +0100
Date: Mon, 17 Aug 2009 11:05:44 +0100
From: Ian Eiloart <>
Message-ID: <>
In-Reply-To: <>
References: <> <>
Originator-Info: login-token=Mulberry:01fHD1aeXRY8693UnL6Jbv5Wjc4ugWw9+W8ds=;
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Sussex: true
X-Sussex-transport: remote_smtp
Subject: Re: [Asrg] SMTP pull anyone?
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <>
List-Id: Anti-Spam Research Group - IRTF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 17 Aug 2009 10:05:48 -0000

--On 16 August 2009 14:14:00 -0400 Bill Cole <> 

>> 3. If the IP that contacted is legitimate(can be verified by say SPF?),
>> it contacts the sender and provides the message ID with other details.
> The *most* that SPF can provide towards showing "legitimacy" is to
> confirm that the envelope sender address of a message is not forged. It
> is very rare for large senders of any sort to deploy records that can do
> that strongly. There is nothing about SPF that directly attacks spamming.
> It could in theory be used to attack sender forgery, but the collateral
> damage has proven to be too great for either sending or receiving systems
> to actually apply it strongly to that end. Meanwhile, a lot of spammers
> are sending a lot of spam with senders that are validated to the degree
> that SPF can validate anything.

SPF deployment has grown rapidly from 5% of 2,000,000 sampled domains to 
17% over the past three years, apparently including most USA banks. About 
half of spf publishing domains, including some large senders like facebook, 
use "-all" records. Apart from anything else "-all" on its own is a good 
way of saying "this isn't an email domain", and it's probably a good idea 
to publish it for every A record that doesn't point to a mail server.

Furthermore, some large recipients like gmail use these records to help 
assign reputation to senders. Forwarded email is likely already suffering 
from deliverability problems when the sender address is not rewritten (at 
least in cases like forwarding facebook mail to gmail, for example), and 
these problems will continue to get worse, not better as SPF deployment 
increases, and as records are increasingly respected.

People who want to offer a reliable forwarding service to their users 
already need to be thinking about rewriting sender addresses.

It might take a few years, but I'm convinced that we'll look back on SPF 
deployment in the same was that we look back on the campaign against open 
relays some years ago.

Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see