-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In article <x4zmup7j6p(_dot_)fsf(_at_)footbone(_dot_)schlitt(_dot_)net>, wayne
<wayne(_at_)schlitt(_dot_)net> writes
There is a new I-D for the SPF email anti-forgery system available for
review. This draft tries to document the current practices of the
~1,000,000[1] published SPF records and ~10,000[1] deployed SPF
systems that are checking 20-100million emails per day.
not that I'm not impressed, but this isn't a huge amount yet :)
Domains:
ISC says there were 317 million hosts in January
Netcraft says there were 62 million web servers in April
Name Intelligence says 52 million domains in com/net/org/etc
and they count 2311 million IP addresses in use
So 1% ? (since SPF may be below the second level!)
Mail servers:
Qmail claimed to have 700,000 sites in October 2001
and to be the second most popular MTA
but I can't immediately locate any other claims :( either
for other MTAs or more recent info for this one
amazing how few numbers for this there are out there!
So < 1% ?
Emails/Day:
Radicati said in April, 130000 million emails/day sent
but 2/3 are spam (viz: 40000 million not)
So << 1% ? (even less if spammers use SPF, which they do)
I realize that the whole subject of SPF (and similar systems) has a
certain amount of controversy to it, but for the purposes of this
draft, I am very reluctant to try debate these issues. The goal is to
document a de-facto standard.
OK .. to be helpful then
10.5. Untrusted Information Sources
When the authorization check fails, an explanation string may be
included in the reject response. Both the sender and the rejecting
receiver need to be aware that the explanation was determined by the
publisher of the SPF record checked and, in general, not the
receiver. The explanation may contain malicious URLs, or it may be
offensive or misleading. This is probably less of a concern than it
may initially seem since such messages are returned to the sender,
and the source is the SPF record published by the domain in the
identity claimed by that very sender.
OR a domain that the check is redirected to
assuming I've understood 6.2 correctly. BTW: the note at the end of 6.2
has the concept "target domain" in it. Uniquely. I suspect this is the
concept defined in 4.8 that is to be called "<target-name>"
To put it another way, the
only people who see malicious explanation strings are people whose
messages claim to be from domains that publish such strings in their
SPF records.
the other people who will see them are people who know nothing of SPF
but forward them to a machine that applies SPF to the forwarded email;
their MTA will display the SMTP conversation in the DSN generated, which
they will receive. Text that was misleading could then mislead :(
- --
richard Richard Clayton
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin
-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1
iQA/AwUBQo5m7poAxkTY1oPiEQLynwCcD9KsZaX5alNPbgYiPzWGrh+pOeQAoOGC
qLMNuhTFrvdHqrAM7NjbxgFw
=TPNs
-----END PGP SIGNATURE-----