Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> wrote:
I see a conflict even within the specification. Jim Lyon has already
indicated any domain publishing an "open" record, requesting forwarded
mail receive a "Pass" assessment, will receive the bad reputation they
deserve. The specification does not warn of this problem.
The goal of specifications should not be to anticipate all possible
uses or abuses, of the specification. To ask this of a specification
is to guarantee that it will fail to achieve consensus.
By first performing CSV to authenticate and authorize the MTA, and then
obtaining an authorization list of names referenced by the mailbox
domain, this will specifically prevent spoofing.
I do not believe that there is enough consensus as to what "EHLO"
checking means, or "MAIL FROM" checking means. Without that
consensus, we have no quantitative way of comparing proposals, or for
deciding if a proposal meets our requirements.
There should be some consideration given this, as you have indicated
your own expectation the results of this scheme will be used for
establishing reputations.
That is a matter for a follow-up WG, or a re-charter of this WG,
once this WG finishes its current work. Until then, I see no point in
discussing the benefits or impacts of reputation systems.
I am not suggesting curtailing spoofing not be done. I am simply
advocating a better, safer, cleaner approach. And yes, it also makes
reputations safer as well.
I'm not sure how any "MAIL FROM" checking can prevent spoofing on a
shared MTA.
Alan DeKok.