spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Explain please (Was: SPF Stats)

2005-07-06 09:52:10
from [Daniel Taylor] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Woodhouse wrote:

On Wed, 2005-07-06 at 11:32 -0500, Daniel Taylor wrote:


If I get an e-mail from example.org fraudulently claiming to originate
from example.com that is forgery. That is what SPF is specifically
created to prevent.



It isn't forgery. It's no _more_ forgery than the letter you receive
with my home address on the back of it, which you might be shocked to
discover _actually_ came from your local post office.

Mail exchangers exchange mail. Film at 11.


If I received snail-mail with your return address on it that came from
someone other than you, I'd think that you would consider that a
forgery. Say HP sent me a letter claiming to be from you talking
about how great their printers were and how I should get one right now?




If I get an e-mail from example.net that is a legitimate forward from
example.com that claims to be directly from example.com I cannot tell
the difference between the legitimate message and the above forgery.



Why do you claim that you cannot? There are many methods such as BATV,
DKIM, etc. which allow you to distinguish between the two.


Both of the methods you mention by name require me to receive the ENTIRE
message before making my decision. This is the source of the DOS from
many e-mail viruses. Not to mention the additional CPU load (larger
machine) required to implement them for the same traffic load. You are
asking me to spend money (not just time, actual dollars out of pocket)
to support your preferred solutions.


One particular method is broken and cannot work for you. With that I
agree.


And the others you mention are also broken for many situations.




This is not a breakage of SPF, it is a natural consequence of the
situation, and ANY general solution to the problem of e-mail source
forgery is going to require changes on the part of forwarders. It is
simply unavoidable as long as forwarding is done using a technique
that is indistinguishable from forgery.



Any apart form the others.


Which are general solutions in what way? Admittedly BATV is better
than DKIM, but they still have major holes that SPF does not.


- --
Daniel Taylor          VP Operations            Vocal Laboratories, Inc.
dtaylor(_at_)vocalabs(_dot_)com   http://www.vocalabs.com/        
(952)941-6580x203
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCzAw58/QSptFdBtURAv7/AJ9HHMtQXL4z6Z1vlsUJ+gBUzjaKrwCfftiL
K57DTVQaiHLJAURvp9pP4U8=
=cVRB
-----END PGP SIGNATURE-----
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Forwarding/Redirecting: The problem as I see it...., Bruce Barnes
Next by Date:  Re: Forwading/Redirecting: The problem as I see it...., Daniel Taylor
Previous by Thread:  Re: Explain please (Was: SPF Stats), David Woodhouse
Next by Thread:  Re: Explain please (Was: SPF Stats), Tony Finch
Indexes:  [Date] [Thread] [Top] [All Lists]