[Top] [All Lists]

Re: SPF I-D for review: draft-schlitt-spf-classic-01.txt

2005-05-20 15:39:47

Hash: SHA1

In article <x4zmup7j6p(_dot_)fsf(_at_)footbone(_dot_)schlitt(_dot_)net>, wayne
<wayne(_at_)schlitt(_dot_)net> writes

There is a new I-D for the SPF email anti-forgery system available for
review.  This draft tries to document the current practices of the
~1,000,000[1] published SPF records and ~10,000[1] deployed SPF
systems that are checking 20-100million emails per day.

not that I'm not impressed, but this isn't a huge amount yet :)

        ISC says there were 317 million hosts in January
        Netcraft says there were 62 million web servers in April
        Name Intelligence says 52 million domains in com/net/org/etc
        and they count 2311 million IP addresses in use
        So 1% ?  (since SPF may be below the second level!)

Mail servers:
        Qmail claimed to have 700,000 sites in October 2001
        and to be the second most popular MTA
            but I can't immediately locate any other claims :( either
            for other MTAs or more recent info for this one 
            amazing how few numbers for this there are out there!
        So < 1% ?

        Radicati said in April, 130000 million emails/day sent
        but 2/3 are spam (viz: 40000 million not)
        So << 1% ?  (even less if spammers use SPF, which they do)

I realize that the whole subject of SPF (and similar systems) has a
certain amount of controversy to it, but for the purposes of this
draft, I am very reluctant to try debate these issues.  The goal is to
document a de-facto standard.

OK .. to be helpful then

10.5.  Untrusted Information Sources

  When the authorization check fails, an explanation string may be
  included in the reject response.  Both the sender and the rejecting
  receiver need to be aware that the explanation was determined by the
  publisher of the SPF record checked and, in general, not the
  receiver.  The explanation may contain malicious URLs, or it may be
  offensive or misleading.  This is probably less of a concern than it
  may initially seem since such messages are returned to the sender,
  and the source is the SPF record published by the domain in the
  identity claimed by that very sender. 

OR a domain that the check is redirected to

assuming I've understood 6.2 correctly. BTW: the note at the end of 6.2
has the concept "target domain" in it. Uniquely. I suspect this is the
concept defined in 4.8 that is to be called "<target-name>"

  To put it another way, the
  only people who see malicious explanation strings are people whose
  messages claim to be from domains that publish such strings in their
  SPF records.

the other people who will see them are people who know nothing of SPF
but forward them to a machine that applies SPF to the forwarded email;
their MTA will display the SMTP conversation in the DSN generated, which
they will receive. Text that was misleading could then mislead :(

- -- 
richard                                              Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.         Benjamin Franklin

Version: PGPsdk version 1.7.1