ietf-mxcomp
[Top] [All Lists]

Re: How is SPF different from RMX?

2004-07-31 11:38:26

Dean Anderson <dean(_at_)av8(_dot_)com> wrote:
It wouldn't make any difference if they send mail through AOL's mail
servers instead, using a forged (or accurate) <user>@aol.com From:
address.

  Really?  I'm sure AOL would disagree.  Another 10^8 or so messages a
day passing through their system would make them take notice.

Essentially, all SPF is a way to force everyone to block outbound SMTP 
except from their relays.

  That's exactly wrong.  SPF is a way of enabling the recipient to
tell if a message was from an outgoing MTA or not.  Blocking outbound
SMTP is orthoganal.

  IMHO, MARID (RMX, etc) is about closing a hole in SMTP, which says
"messages MUST be accepted for delivery or bounced", but it makes no
provisions for ensuring that the message CAN be bounced.  

Ahh. Still trying to contact the abuser.

  Uh, no.  It's a way of finding if there is a responsible party for
the message.  For many spam & virus messages, the alleged domain can
refuse to accept responsibility, and the recipient can discard the message.

This is impossible. You already have an accountable entity: the IP address
delegate.  Evidently, they either aren't responsible enough or aren't
responsive enough to halt abuse. They are often the same entity as the
domain delegate:  AOL owns the IP address, AOL owns the aol.com domain.  
You haven't "proven" anyone's accountability.

  People sell IP conectivity with few restrictions.  Someone sending
2-3 spams a day from an IP isn't much of a problem so far as the IP
owner is concerned.  But a fraud artist claiming association with your
business name *is* a big deal.

The domain owner has no more control over the infected machine than the IP
address owner.  That being so, sender verification is pointless.

  Nonsense.  The domain owner controls his domain name.  If the
infected machine uses his name, he can deny responsibility for that
message.

The virus operator has to add a couple lines of code to his program to use
the infected machines legitimate email address, and use psyBNC to
distibute this to his virus stable.  Time to implement: few days. Cost: 0.

I am sorry to be critical, but this was why the DNSEXT group rejected RMX.  
One has to wonder why it was brought up again without more critical
analysis.

  Some people think it's useful.

  Alan DeKok.