ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: A new SMTP "3821" [Re: FTC stuff...........]

2004-12-07 11:59:15
from [David Woodhouse] [Permanent Link] 

On Tue, 2004-12-07 at 12:39 -0500, Alan DeKok wrote:

  But do they do the same thing?  I keep seeing statements like
"proposal X doesn't break forwarding like SPF breaks it".  But when I
look at proposal X, most of the time, it doesn't do MAIL FROM
checking, but something else.  So the comparison is unwarranted.


All proposals are different in their details; the important thing is
what they can _achieve_. Take CSV and SPF, for example. Of course the
details vary, but in practice they do exactly the same thing. Consider:
        MAIL FROM:<SRS0=xx=yy=ox(_dot_)org=aland(_at_)forwarder(_dot_)org>
        From: aland(_at_)ox(_dot_)org

Precisely because SPF validates only one hop, it's achieving no more
than CSV is. The recipient can look up how much they should trust
'forwarder.org' but you can't really tell if the message _really_ came
from you.

DK is similar but it uses the RFC2822 address of the most recent sender.
It's still achieving basically the same thing -- a validated name of
some kind, which you're expected to look up in your reputation database.

SES does actually validate the MAIL FROM: address, and it survives
traditional forwarding.


  In the physical world, these problems are solved by calling the
cable company, and asking them if they send a 6' 250lb guy named
"bob".  If they say yes, then you're likely to let him in.


That sounds like a description of SES. You try to send mail from me to
somewhere like sourceforge.net, and they'll call _my_ servers and ask if
I send MAIL FROM:<dwmw2(_at_)infradead(_dot_)org>. When I say no, they'll reject
the mail you're offering. Try it.

The similar description of SPF would be more along the lines of "you
call the cable company and ask them if the engineer they send will be
coming from the northwest and enter through your rear gate".


  Similar approaches should be workable on the net.  e.g. asking a
domain via DNS whether it is really responsible for certain traffic
which is using it's name.


"its name". But yes. The question is how you identify that traffic. In
the case of mail, we all agree it would be stupid to identify the
traffic by the MAC address on the packets. Many of us think it's
similarly stupid to use the IP address on the packets. Many of us are
offering other ways you could identify it.

-- 
dwmw2
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: A new SMTP "3821" [Re: FTC stuff...........], Alan DeKok
Next by Date:  Re: A new SMTP "3821" [Re: FTC stuff...........], Alan DeKok
Previous by Thread:  Re: A new SMTP "3821" [Re: FTC stuff...........], Alan DeKok
Next by Thread:  Re: A new SMTP "3821" [Re: FTC stuff...........], Alan DeKok
Indexes:  [Date] [Thread] [Top] [All Lists]