I have over the last two years implemented, I think, a dozen different anti-spam technologies to protect my Inbox. (I’ll total them up and summarize my thoughts in another post.) Today I finished implemented yet another, called SPF, or Sender Permitted From (now renamed to “Sender Policy Framework”).
The idea is, if my e-mail address is “michael a-t alderete.com”, then there are only a few servers on the internet that are likely, or permitted, to send e-mail for the alderete.com domain. When you receive an e-mail from that address or domain, if you knew which servers on the internet were legitimate senders, then you could reject messages from all other servers.
This is useful because it’s common practice by spammers to forge the From: header of their spam messages, and because they are almost never able to send those messages from the real server for the domain. (This is why bouncing spam back to the sender just makes the spam problem worse.)
I had incentive to do this because one of my e-mail address domains, alderete.com, has been forged heavily recently (though not quite Joe Jobed), with thousands of e-mails being sent out with forged from addresses like “email hidden; JavaScript is required” and “email hidden; JavaScript is required”. When the spams bounce back, they come to my Inbox. Thousands of them.
Now, SPF isn’t a panacea for this problem, mostly because there has not been a lot of deployment of the technology yet. But that’s coming; AOL recently began trialing it, and if it’s successful I am sure the other big ISPs will do so soon.
When they do, I’ll be ready to reap the benefits.