It makes me sad when ostensibly tech-savvy writers completely miss the point of a technology they’re covering.
MX Logic, a company that provides both products and services touted to increase email protection and security, released a report this week that says that email spammers are now using the Sender Policy Framework in an effort to “dodge both legal and industry-backed efforts to curb spam.” A few news outlets — Information Week, CNet News, The Inquirer — all picked up the report and ran with it, implying that the SPF standard is more or less a failure at what it was designed to achieve.
What’s the problem? It’s that SPF wasn’t designed to eliminate spam! The standard exists so that when you receive a piece of email from a certain return address, your mail program can check to see whether or not that address is a forgery or the real deal. As a result, the goal of SPF isn’t to eliminate spam, it’s to implement trust — you are better able to trust that the email you receive is from who it says it’s from. A quote from the official how-it-works page sums it up nicely:
SPF aims to prevent spammers from ruining other people’s reputations. If they want to send spam, they should at least do it under their own name. And as a user, SPF can help you sort the good from the bad. Reject mail that fails an SPF check. Use it to help your spam filters make a decision. Have confidence that mail that SAYS it’s coming from your bank, your credit card company, or the government really is!
As for that latter bit — helping filters make decisions about the likelihood of an email being spam — the key is in the implementation. And while I can’t speak about all spam filters, I can say that the filter I use, SpamAssassin, does the right thing. If an email fails the SPF test (indicating a forgery of the return address), then SpamAssassin considers it more likely to be spam. But on the other hand, if an email passes the SPF test (indicating that the return address is likely to be legitimate), SpamAssassin doesn’t add or subtract anything from the likelihood of it being spam — it’s a wash.
And now, for the important bit, and the bit being left out by the news coverage: when spammers use SPF to try to increase their legitimacy, all they do is verify that the site they’re using to send their junk is real. That means that those fighting against spam (filter authors, lawmakers, whoever) are then able to take action against that site without fear that they’re netting an innocent bystander, and that’s a good thing for everyone.
Oh, yeah, and one more thing the press neglected to mention: the report that forms the basis of the news was issued by a company which sells spam filters. The more doubt they can plant in the effectiveness of other solutions, the more business they can drum up for themselves… seems like a fine reason to shout loudly that SPF isn’t working, but also doesn’t make it any more true.