On Mon, 16 May 2005 14:49:02 PDT, David MacQuigg said:
The ID is used only to locate the authentication records. The actual check
is done per the requirements of whatever method is specified in the DNS
records at the ID. For example, if the ID is ebay.com, and ebay says "Here
is an SPF record to use in checking that IP", then the check will be done
against the MAIL FROM and HELO domains. If ebay says "Here is a Sender ID
record", then it will be a different set of domains that gets
checked. Whatever method is used, it is the ID that is responsible to
chose the method and provide proper DNS records for that method.
But Sender-ID and SPF already *know* where to look for the data they want.
You stick an ID record in there, what are you *really* accomplishing?
Let's say we're looking at a scheme that validates MAIL FROM. Either:
1) The ID and MAIL FROM match. Why bother?
2) The ID and MAIL FROM don't match. Now you either have to check the MAIL FROM
*anyhow* and flag an error, or allow the spammer to hand you a valid ID and a
bogus MAIL FROM.
Work through your protocol, and assume that the spammer will *LIE* with whatever
value they think they can get the best results with.
pgpRkB7bOK9Ux.pgp
Description: PGP signature