Daryl,
* Sender-ID does not call for receiving MTAs to do a
malformed SMTP Mail From check.
However, we know (see the US Bank spoof scenario as an
example) doing such a check would prevent spammers from
sending directly from IP address to the receivers MX.
* Sender-ID does not call for receiving MTAs to do an SMTP
Mail From check in the absence of PRA.
However, we know as has been pointed out by doing so, this
aids in the prevention of one form of 'backscatter' as
pointed out by Chris and helps to minimize the risk of
false positives, as has been pointed out by Meng.
I must be honest and say I am totally confused.
For almost 3 weeks now, some of us have been raising the
issue of having Sender-ID include an SMTP Mail From check
based on the SPF protocol to pick up and deal with these
obvious exploits.
Yet the answer has been negative.
That is until most recently.
Harry has now responded by suggesting a BCP as opposed to
amending the protocol drafts.
I am most grateful for Harry's response.
The proposal only deals with one part of the issue, the
malformed SMTP Mail From at the data stage. It does not
call for doing a spoof check using SMTP MAIL FROM in the
absence of PRA at the data stage, so reducing the risk of
false positives as pointed out by Meng and avoiding one
element of back scatter as pointed out by Chris.
However, I am sure the proposal can easily include both
without causing any disruption or delay, while giving
favourable consideration to the solution to the version
string issue as proposed by Scott.
At the same time Andy has now indicated it is appropriate
for individuals to come forward with other proposals, which
means a set of drafts for SPF can be put on the table and
dealt with once we finish dealing with Sender-ID.
Yes, I appreciate Chris's stance may have offended some and
caused others to get upset. However, others have been
equally offended and upset by the refusal to budge on an
issue which to many was clear.
But now that we all understand what the engineering
concerns are, how about we get on with the show and work on
a BCP for Sender-ID, while letting others come forward with
SPF protocol drafts to complete the needed work to support
the BCP?
John
cc. Chris, Harry
John Glube
Toronto, Canada
The FTC Calls For Sender Authentication
http://www.learnsteps4profit.com/dne.html
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.737 / Virus Database: 491 - Release Date: 11/08/2004