ietf-mxcomp
[Top] [All Lists]

Re: So here it is one year later...

2005-01-31 06:45:08

K.F.J. Martens wrote:
On Sun, Jan 30, 2005 at 02:44:27PM -0800, Douglas Otis wrote:
Those publishing SPF records want their mail to go missing?  There is no
means to know which recipient may be using a forwarded account.  There
is no means to prevent a "screw up" with SPF.  Forwarding is a common
practice within colleges, societies, and many providers.  Validating the
legitimacy of an MTA can take place within a single lookup of a small
CSV-CSA record.  A single lookup does not increase the risk to DoS
attacks, and also does not create inadvertent loss of mail, as does
SPF.

The forwarding problem is known and information is on spf.pobox.com
(which still is the primary source for information about spf). It's not
like it is 'the big secret of spf' that there is a forwarding issue.
[snip]

I can only elaborate a bit on my own motivations: ...

As admin of several dozen domains I publish SPF records to avoid litigation!

Considering that sending a virus as an offence against the Computer Misuse
Act (in the UK at least) every now and then I get irate messages accusing
my servers of sending out spam or viruses. A quick glance through the
header of the accused message confirms that it was spoofed and then I'm
able to write back saying "no, it wasn't my server that sent it and I've
published the SPF records to prove it. Please encourage your ISP to use
SPF" and give the pobox URL for good luck :-)

I'm happy to take the flack for messages not being delivered due to
"anonymous" forwarding. Note there is a difference between a person
forwarding a message from their MUA (which is effectively generating a new
message with the content of another - which SPF handles fine) and
"anonymous remailers" (where a forwarding 'bot effectively spoofs itself
as the original sender in order to forward the message on verbatim to the
ultimate recipient).

In the Good Old Days the anonymous remailer was a useful tool. But in
*this* day and age of forged-sender spam, Joe jobs and phishing that
functionality must (unfortunately) be considered broken.

You (Douglas and other anti-SPF posters) are quite correct in saying that
SPF won't stamp all spam (but then SPF never claimed it would) and that it
breaks anonymous forwarding (which SPF always acknowledged) but SPF+SRS is
the best, current, first-baby-steps solution available for stamping out
forged sender - which *is* IMHO the essential first step for eliminating
joe-jobs, phishing and a significant subset of spam.

Regards,

Ian.