More SenderID Bashing

Looks like another company wants to generate some good PR buzz by bashing Microsoft and bashing SenderID. This is just like my article from last fall. A company has breathlessly reported that spammers are using SenderID. Its not that bad.
MXLogic’s press release is parroted by techwebnews (parent of SecurityPipleline). They say that spammers use SPF to get an air of legitimacy to their email. I would argue that any spam filter that determines legitimacy by the presence of an SPF record is flawed. Its like the old spam assassin problem. SA automatically whitelisted anyone who signed their mail with a digital signature. Does that indicate a problem with the digital signature? No its indicates a bad implementation.
SPF is about reputation and accreditation. A domain owner publishes who is allowed to send mail from that domain. Everyone else is considered questionable. That cuts down on spam and viruses using common domain names or your own company domain name. So the spammer registers throwaway domains and creates an SPF record. You still have your other spam filters. You still have the ability to blacklist.
Meng Wong provides an illustration.