[Alan DeKok]:
John Leslie <john(_at_)jlc(_dot_)net> wrote:
> Exactly. A 60-day review cycle is considered fast.
Any review is better than no review. The original comment was
insinutating that no review was done.
for many users, 60 days might as well be never.
no one can tell how the reputation services for CSV will operate, but
we can look at the DNSBLs in use today. several of these have a
stated policy of never removing any IP addresses used for spamming.
e.g., SORBS requires the netblock to switch owners, _and_ the new
owner to donate USD 50 per IP address to charity to remove the
listing.
> I read Kjetil's argument to be that with SPF, your reputation
> will not quickly recover, and will inhibit email "From" your
> domain for quite a while,
I'm not sure why that is, as the explanation wasn't clear to me.
Nothing in CSV or SPF that I can see indicates how quickly
reputation will recover. So assertions that reputation will
recover more quickly for one than the other are unwarranted.
as the two reputations in CSV aren't connected, it is safe to say that
the recovery will be quick... for SPF, there is no telling, it is out
of the domain administrator's hands.
So... CSV ties reputations to domains, or to MTA's?
The confusion here is that there are multiple domains that may
be used for authorization. EHLO, and MAIL FROM. When CSV uses
EHLO, sending "MAIL FROM" a particular domain is invisible to CSV,
because it's not looking at MAIL FROM. And in that case,
reputation is tied to MTA, not to the "MAIL FROM" domain.
correct. tying it to the MTA is what makes CSV deployable for just
about any e-mail provider, whereas SPF in most cases require large
changes both in infrastructure and in customer behaviour.
If CSV uses "MAIL FROM" for reputation, then it has pretty much
the same issue as any other proposal using that field.
yes, I think it has been established by now that "MAIL FROM" can't be
used without breaking e-mail or being vulnerable to replay attacks.
--
Kjetil T.