On Tue, 2004-09-14 at 07:12, Gordon Fecyk wrote:
That's the point -- it's a hop-by-hop scheme. It's _all_ about how
much you trust the one mail server which is sending you mail. Where
before we had IP-based blacklists, now there are domain-based
blacklists, without which SPF/SenderID is largely not useful.
I would live with domain based blacklisting. It's easier to manage currently
than IP based blacklisting, until reputation services start to take hold or
other measures could apply to domains - named entities - instead of numbers.
I'm more interested in knowing that example.com is accountable for mail sent
in its name. I can deal with whether example.com is worthy or not later.
Neither Sender-ID nor SPF provide an identity that will allow this later
reputation to be safely established. When example.com sends mail using
a EHLO name of mx.example.com, this is not much different than
example.com using a MAIL FROM domain of rp.example.com. For that
matter, the From mailbox domain does not need to match the identity
checked for either Sender-ID and SPF. This makes EHLO no different.
Using EHLO does protect customers from lax providers. Making the
authenticated EHLO visible would also greatly help reduce phishing.
EHLO offers consumer protections that Sender-ID had only promised but
without many of the risks.
-Doug