ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: change of version string

2004-08-11 02:20:20
from [Frank Ellermann] [Permanent Link] 

wayne wrote:


For the vast majority of people, publishing SPF1 records
will be all they need to do or worring about.  For those
that require different records for the PRA check vs the MAIL
FROM and HELO checks, they can publish SPF2 records.


Existing sender policies use v=spf1 and are meant to check
only the MAIL FROM.  They don't allow SUBMITTER, where some
bounces would be sent again to an innocent MAIL FROM when
a malicious SUBMITTER got a PASS for his PRA, and something
between MX and MUA detects this or another problem too late
for a REJECT.

If that's the case then SUBMITTER is incompatible with SPF.
And if SUBMITTER is only an accelerated PRA test (allowing
early rejection before DATA) then anything not rejected by
PRA could later result in bounces to the forged MAIL FROM.

I really hate these bounces, and writing a script to send
MAIL FROM:<forged(_at_)xyzzy> SUBMITTER=phisher(_at_)directi(_dot_)example
with Sender: trust me <phisher(_at_)directi(_dot_)example> is easy,
and getting directi.example IN TXT "v=spf1 +all" is cheap.

At the moment this would result in a Sender-Id PASS and
later probably in a bounce to me.  And I don't want this.

But I do want to use "my" address From: nobody(_at_)xyzzy with
an MSA forcing MAIL FROM:<me(_at_)msa(_dot_)example>, and I don't
want this to be rejected based on the v=spf1 sender policy
for xyzzy.

Therefore somebody wanting PRA _and_ MAIL FROM tests has to
say so in his sender policy, because that's the unusual case
after months of propagating and implementig SPF classic.

There are numerous documents and articles "in the wild" 
explaining classic SPF, and they don't say "but you can't
use your address in From: headers anymore unless [PRA]".


it is like asking these two questions about the president:
a) Is the current occupant of the U.S. Presidency over
   the age of 35?
b) Is the current occupant of the U.S. Presidency a U.S.
   citizen?


PRA asks "is a U.S. citizen over the age of 35 eligible as
president ?"  SPF classic asks "is the U.S. president a U.S.
citizen over the age of 35 ?"  The answers can be different.

                        Bye, Frank
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: you must fill your zones with TXT records, Tony Finch
Next by Date:  Re: change of version string, william(at)elan.net
Previous by Thread:  Re: change of version string, Roy Badami
Next by Thread:  Re: change of version string, David Blacka
Indexes:  [Date] [Thread] [Top] [All Lists]