Cthulhux said:
ad "doing your own filtering": How should my client verify the validity of a sender address without asking the server?
SPF will tell you whether or not it came from the IP range or mail host that is registered in DNS for that domain, which is cached in DNS (i.e., it doesn't impact innocent third party's infrastructure excessively), and is as much as you need to know.
If the legitimate mail host for that domain is sending you spam, blacklist it. Contact the admin. Whatever, you have options.
If it didn't come from the host(s) registered in DNS via SPF as being valid for that domain, drop it.
Sending queries repeatedly into the IMAP server, which is actually not cached and scaled/intended to support the users of my network is being hostile.
And even if this "validation" succeeds - verifying the user exists won't help anyway.
Example:
- I harvest your address.
- I set up my own spam server/botnet to send email, faking from your address (let's say - to 10 million users). The IMAP-verifying recipient mail server consults DNS, checks that your email exists by logging into your server, which may or may not exist, as not everyone exposes IMAP.
- Let's say it exists. Your IMAP server (if it is not DOSed into submission by 10 million connections from hosts mailed from my botnet) replies "yup, it is a real user" (10 million times, potentially 10 million LDAP lookups to your internal LDAP server, 10 million firewall state connections, etc.)
- My email goes through, even though it is garbage
(As per many others, I don't run/expose IMAP anyway, but am simply arguing the point that doing this sort of thing is retarded. There are already workable, scalable options out there that don't DOS innocent people's servers if a spammer fakes a heap of email headers as being from their domain. They are also more likely to actually give you information that is relevant.)
edit:
Yes, sure, SPF is not widespread. However, if it was more widespread, it would work a lot better than this new, not implemented "solution".
The tools to fight spam are already there. They need to be rolled out. Making more tools is not the solution...