SPF question

[Lennart Sorensen]

On Wed, Oct 31, 2007 at 04:41:00PM +0000, Christopher Browne wrote:
> SPF *may* also make sense for large entities that:
> a) Send out a lot of mail, and
> b) Are targets for fraudulent mail
> 
> EBay and PayPal would fit into that category, as would banks.
> 
> It seems not too outrageous for them to try to tell the world things like:
> 
> "If you get mail claiming to be from our domain that doesn't contain
> our digital signature, then we're willing to suggest that it is
> fraudulent and may be safely thrown away."

Well since not everyone insists on checking SPF, there are plenty of
ways for those scams to get through anyhow.  A much better way to deal
with those phishing emails is to make people less stupid.  Not sure how
much luck we will have on that.  Perhaps I am overly optimistic in the
average ability of the population as a whole.

> "If you get mail claiming to be from our domain that was not sent from
> one of our IP addresses, then it did not pass through proper channels
> and may be safely thrown away."
> 
> But that certainly imposes some burdens on the flexibility of one's
> mail management.  For the "digital signature" case, for instance, it
> implies that people in the organization MUST pass their messages
> through a mail server that knows how to generate the digital
> signatures.  If those servers are pretty locked down, which is
> appropriate, then this implies some possible inconvenience in getting
> outgoing mail signed.
> 
> This doesn't seem like something that everyone would want to apply to
> their mail.

Well it is a trade off between convinience and control.

--
Len Sorensen
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists