-----Original Message-----
From: owner-ietf-mxcomp(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-mxcomp(_at_)mail(_dot_)imc(_dot_)org]On Behalf Of Meng
Weng Wong
Sent: Friday, September 03, 2004 2:42 AM
To: ietf-mxcomp(_at_)imc(_dot_)org
Subject: Re: (DEPLOY) In Support of Sender ID
On Fri, Sep 03, 2004 at 06:25:21AM +0100, Graham Murray wrote:
|
| In the case of sending from a large ISP (and that includes commercial
| sites who outsource email) that is not true. Unless the ISP does
| additional checking then Sender-ID (and SPF) still allows a customer
| of the ISP to forge the mail as coming from any other customer of that
| ISP.
My read of most ISPs is that they are willing to move in
this direction if it proves necessary. Many ISPs are
beginning to roll out (mandatory) SMTP AUTH. With that in
place, halting cross-customer forgery becomes a much more
likely proposition.
While SMTP AUTH will help ISPs manage access to their MTAs, it doesn't help
them with the policy and procedural issues of managing lists of domains that
different users may legitimately send from. I believe that these types of
issues are ultimately a greater deterrent to large scale prevention of
cross-customer forgery than the particular method of MTA access
authentication.
As I've said before,
http://www.imc.org/ietf-mxcomp/mail-archive/msg04034.html
I think the simplest way all around (assuming we go forward with Sender-ID
in some form) is to have ISPs use Submitter. That way they don't have to
manage lists of domains that customers have access to. Any messages coming
from the ISP MTA are checked under Sender-ID against the ISP spf2 pra
record. I don't think it changes in any significant way what they will
already have to do to support Sender-ID anyway.
For those of us without the resources to operate our own MTA, the potential
for cross customer forgery is a huge issue.
Scott Kitterman