On Jun 22, 2009, at 7:12 AM, Ian Eiloart wrote:
--On 21 June 2009 23:34:16 -0700 Douglas Otis <dotis(_at_)mail-abuse(_dot_)org>
wrote:
SPF does not work well at resolving a domain that should be held
accountable for a few reasons-
a) risks high and impractical transaction overheads at attempts to
indirectly reference the customers of a provider.
Er, we already have ridiculous transaction overheads for email.
Anything that stopped spam would reduce the transaction overheads
for legitimate email by up to ten fold.
Only the application of reputation and address range policies reduces
spam levels. Not using SPF and instead using CSV will reduce the
transaction overhead needed to validate an associated domain. SPF
often requires several transactions, that may exceed several hundred
transactions where 111 could be generated by PRAs and then another 111
for the Mail-From. The high overhead problem of SPF can be made
worse when the SPF records contain macros. Using SPF macros, bad
actors can cause recipients to generate a long series of different DNS
transactions based upon portions of an email-address local-part, for
example. This enables a free DDoS attack while spamming, since SPF
macros can make DNS caching ineffective.
b) may not qualify any specific IP address for a positive result.
I'm not sure what that phrase means. If it means that some lookups
result in softfail or neutral results, then that actually doesn't
matter much. The passes and the fails still get us useful
information. Anything else just puts us back where we were before.
An SPF pass result may never be based upon the IP address of the MTA.
The way SPF is defined, there might not be a means to know whether an
IP address check is bogus when resolving exists functions, for example.
c) Mail From or PRA references do not resolve which domain
administered the MTA or actually sent the message.
It doesn't matter. If the domain owner devolves responsibility to
the IP address owner, then the mail is effectively from the domain
owner, and they can be held responsible for their email. Reputation
services, and the law can be applied as appropriate.
You have this the wrong way around. SPF devolves responsibility to
that of the email-address domain owner from that of the provider. Any
conclusions about email origination based upon authorization is purely
speculative. It would be wrong, perhaps even risky, to conclude a
message originated from a domain offering MTA authorization.
d) holds customers of a provider accountable for the provider's
stewardship without any solid evidence of their involvement.
Please expand, I don't understand this either.
Providers are not required to assure any particular email-address
domain within the Mail-From or that of some PRA is used exclusively by
users of the email-address domain. There may not be a relationship
between the account used to gain access to an email providers'
outbound MTA and the domain of SPF record authorizing the MTA.
There should be greater concern accountability is correctly applied.
If the domain owners are feckless, then apply sanctions.
Accountability HAS to lie with domain owners if you want to
establish reputation services based on domain names, and most people
do want to do that. If the domain owner is found to be feckless,
then reputation sanctions should be applied.
CSV better ensures the domain providing access is held accountable.
Accountability is normally applied against the IP address of the MTA.
SPF's attempt at holding Mail From or the PRA domains accountable
subverts the often intended use of SPF as a means to mitigate
backscatter. It would be foolish to assume SPF assigns who is
accountable for having originated a message.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg