This would place accountability onto the provider. The efforts
behind SPF and DKIM are aimed at passing blame to a hapless customer.
Nonsense. SPF FAIL protects HELO identities and envelope-sender
addresses, SPF PASS guarantees that bounces cannot hit innocent
bystanders. And DKIM allows signers to take the responsibility
for a mail transmission independent of SMTP.
Thousand of domains might share an SPF authorized server which
is likely to have only a few IP addresses.
Therefore only a few IPs are permitted to use the domain as HELO
or in an envelope-sender. Implementing RFC 4409 ("submit") and
2554bis ("auth") on that shared server is an obvious next step,
SPF explicitly recommends this. FWIW, not much yet, publishers
of sender policies can even state (= claim) that their server(s)
don't allow "cross-user-forgery".
Won't help them if they manage to become a part of a botnet, but
as expected SPF and/or DKIM are no FUSSP.
The identity limitations with DKIM ensures providers will also
control their customer's private keys. Who sent and signed the
message is _designed_ to remain a mystery.
[I-D.ietf-dkim-base-07 chapter 6.3]
| If the message is signed on behalf of any address other than
| that in the From: header field, the mail system SHOULD take
| pains to ensure that the actual signing identity is clear to
| the reader.
There should be laws against the use of highly danger
authorization schemes, such as SPF/Sender-ID.
Omigod - how about a law against those dangerous MX records ?
Without MX records the spammers won't know where to they could
send their crap. Highly dangerous, this MX. Without it we'd
have RFC 821 source routing again, SPF would be unnecessary. :-|
Enforcement must make any spam illegal AND hold providers
accountable. To ensure enforcement, allow anyone damaged to
seek legal relief.
Great, Can-Spam, legal enforcement, and RFC 3865 to the rescue.
Is that a new all-time low in the history of the IRTF-ASRG ?
The volume and lack of solicitation provides key differences.
The lack of solicitation allows for rather easy methods of
RFC 3865 is already published, check it out.
OPT-OUT is a dangerous, impractical, and an immoral excuse.
At least we agree on something.
It takes a zombie botnet.
There are many other techniques.
Open proxies and open relays. If that's all it's not "many".
Asrg mailing list