ietf-mxcomp
[Top] [All Lists]

Re: SPF abused by spammers

2004-09-17 12:21:22

 "Alan DeKok" declared:
<snip>

  My repeated, and explicit, comments in this thread have described
the problems faced by the recipient who is sent the message from the
shared MTA.  That recipient has no way to verify that the message is
not spoofed by another domain using the shared MTA.

  Any method which permits the recipient to verify the "MAIL FROM"
must involve the originator.  The shared MTA can claim that it is
forwarding the message, but because it is not the originator, it
cannot authenticate the message as truly coming from the originator.

  The shared MTA can use special/local information in order to
authenticate to it's own satisfaction the "true" origin of the
message.  That information is not available to others in the network,
so they cannot perform the same authentication to satisfy themselves
as to the true origin of the message.  And they cannot take the word
of the shared MTA, as it may be compromised.



My understanding is that SPF records declare the policy of the _sender_.  If the
sender trusts the shared MTA to verify all originators and to prevent
cross-customer spoofing, then the sender can use something like '+mx -all' and
the receiver should respect the sender's trust in the shared MTA s/he uses.

If the sender does not trust the shared MTA, the s/he will be ill-advised to
publish such a self-confident policy.

If the sender's trust in the shared MTA is misplaced, IMHO that's an issue for
the sender, not for the receiver.


I think the more pressing  issue in this area is a deployment one:

How many MTA 'products' are there today which would let a well-intentioned MTA
service provider implement and operate such a shared MTA?

How many service operators have now, or have plans for, such a service?

When this question was asked recently asked in 'another place' - one very
interested in SPF - there were two declarations of intent to offer what I would
term an 'alpha-grade' service in a few weeks time. No one could identify any
production-grade services or technology.

I'd be delighted to see evidence to the contrary.

This lack of a suitable shared-server technology could limit the rate of market
deployment of whatever scheme we chose - particularly for those many domains
unable / unwilling to run their own dedicated outbound servers.

Chris Haynes