On Thu, 2 Sep 2004 14:20:14 -0700 (PDT), Rand Wacker
<rand(_at_)sendmail(_dot_)com> wrote:
On Thu, 2 Sep 2004 mazieres(_at_)gmail(_dot_)com wrote:
I've talked to numerous large banks and consumer-oriented companies -- big
ones, the kind that run ads on TV -- and they've done the analysis on
their customer email address lists that a large majority (more than 50%)
go only one hop to large ISPs that don't allow forwarding, and to large
enterprises that discourage such. So, for these sites, a majority of
their customers will be very well served by accurately authenticating the
From: address which is shown in their MUA *today*. This is something that
SPF-classic can not provide today.
Wait a sec... surely you don't claim that Sender ID can authenticate
anything with MUAs today. I agree that in single-hop scenarios, mail
won't be rejected by Sender ID. However, nothing stops forgery of the
From: header by viruses or spammers. If I add a "Resent-Sender:
virus(_at_)com" header, today's MTAs are still going to display the
unauthentic "From: whatever(_at_)mybank(_dot_)com" header.
Anyway, are MUAs really within scope here, in a working group about
MTA authentication?
My challenge remains... describe a concrete scenario that requires
Sender ID, and that could not achieve the same effective result with
SPF-classic. Vague references to banks don't convince me any more,
because I've thought through concrete scenarios, and in every case, if
you specify what needs to be sent to whom, and what the attacker is
trying to do, you'll see that SPF-classic is basically as powerful as
Sender ID. Once you throw end users into the fray, you'll find that
in either case you need to make small modifications to the MUA, but
neither modification is particularly hard to do.
David