SPF - An Anti-SPAM Measure


We currently believe that Greylisting (and its derivatives) together with SPF 
are the most appropriate techniques to fight the ever rising tide of SPAM.

The volume of SPAM is rising - rapidly. SPAM increasingly threatens the 
effectiveness of email as a medium for doing business. Something has to be done.

SPAM and email based attacks are becoming increasingly sophisticated but the 
sheer volume of low tech SPAM is clogging the arteries of the internet and the 
inboxes of legitimate users.

There is nothing more annoying and frustrating than to receive a bounce message
saying that a mail item - which you did not send - was rejected because it 
contained a virus or other offensive material. Someone has forged your address.
Someone has stolen your identity.

It is estimated that well over 15 billion SPAM messages are sent every day. Some
days it feels like they all arrived in our mailboxes!


Classic Solutions


The problem is finding a cure that is not worse than the disease.

We have reviewed and rejected some potential solutions:

Black lists: We refuse to implement a Black List because we feel it can too
easily penalise legitimate mail while doing very little to stop SPAM - your SPAM
clogged mailboxes are witness to the total lack of effectiveness of Black lists.
Having been the unwitting victim of a blacklisting which took less than 2 hours
to fix when brought to our notice but took over five years for all the effects 
to finally disappear we feel the implementation even in major, so-called, 
professional organizations is not production quality. On its own it is a fatally
flawed technique. In combination with other techniques and properly implemented
(with constantly refreshed lists) it can add value.

Incoming Mail SPAM Filters: It is not up to us, nor should it be, to decide
what constitutes SPAM and what does not. One person's legitimate mail may be 
another persons SPAM and vice versa. While not doing anything to demean the 
quality of spam-filtering software, the technology relies on inspection of the 
mail content. This is a very subjective matter and will inevitably lead to false
positives which is why most such systems place suspected spam in a special 
folder. You still have to check this material - much of it profoundly offensive.
How effective is that. Finally, spam filtering has two other problems. It uses 
the good guy's resources (high-quality spam filtering is resource intensive). It
does nothing to hurt the bad guys. See Greylisting for an alternative approach.


The Good Guys vs the Bad Guys


There is action on both technical and legal fronts.

A number of countries and states have passed legislation providing for 
increasingly stiff remedies to cope with SPAMers but until the problem reaches 
manageable proportions authorities worldwide will be swamped. How do you stop 
500,000+ spammers. Get that number down to a couple of hundred and the 
authorities stand a fighting chance.

On the technical front the IETF (the group that sets technical standards for the
Internet) looked at the problem under the MARID Working Group and failed to 
come to any consensus. The technical debate was just too fierce. SPF appears to
be moving slowly forward as an experimental service. Perhaps to be followed by a
progressive series of enhancements each squeezing out more and more email 
vulnerabilities.


So What can We do


We believe it is reasonable for us to reject mail which we know has forged its 
origin. It is trivially simple for SPAMers to use a legitimate email addresses 
to send SPAM. Checks to verify this form of SPAM were historically doomed to 
failure.


But things are changing


The Sender Policy Framework (SPF) initiative was started in early 2004 to 
provide a simple means to verify that mail most likely originated from the real
sender. The SPF proposal is now an Internet standard (RFC 7208). We have 
provided right hand menu links where you can read more about the SPF initiative.

Having examined SPF we believe it can play a significant role in reducing SPAM 
and especially in the case of identity theft (forged mail using your email 
address) which we know is especially troubling to users. SPF uses only Public 
Domain technologies.

Google mail and many others have implemented SPF. Microsoft's alternate proposal
SenderID has now been synchronised with SPF. With this kind of commitment and 
the ~1m domains that have registered their use of SPF (as of mid October 2005) 
we believe the SPF initiative can be effective and has industry traction.


The Call for Action


We support the SPF initiative as a First step to making SPAM a manageable 
problem.

We request your help in supporting both our, and industry wide, initiatives, to
help reduce SPAM. We cannot promise these measures will stop SPAM, we cannot 
even estimate how effective these measures will be in reducing SPAM. We promise
only two things:

We will in all cases be the 'guinea-pigs' and experiment on our own domains
first.
If we do nothing - the problem will simply get worse.