SPF doesn really STOP spam, does it?
We’ve heard the complaints — Spammers can always get throwaway domains, etc. At a high level, the answer is that we’re moving from one paradigm to another: from “assumed innocent until proven guilty” to “assumed guilty unless proven innocent”. The Aspen Framework brings two important tools to bear: reputation and accreditation. (A cartoon guide is available.) We agree that throwaway domains will be the next step in the arms race. We can counter with: • fast automated blacklisting using spamtraps and attack detectors • simple reputation systems based on factors such as • age of domain according to whois • email profile of domain, eg. “too many unknown recipients” • call-back tests to see if the sender domain is able to receive mail. The reputation system can advise a receiving MTA to defer or reject. • legal methods following the paper trail of who paid for the domain. Here’s an example of automated blacklisting in action: • A spammer spams. • The spam comes from an SPF-conformant doma
