[Top] [All Lists]

Re: Sender's Declaration of Identity

2005-05-16 20:58:32
On Mon, 16 May 2005 14:49:02 PDT, David MacQuigg said:

The ID is used only to locate the authentication records.  The actual check 
is done per the requirements of whatever method is specified in the DNS 
records at the ID.  For example, if the ID is, and ebay says "Here 
is an SPF record to use in checking that IP", then the check will be done 
against the MAIL FROM and HELO domains.  If ebay says "Here is a Sender ID 
record", then it will be a different set of domains that gets 
checked.  Whatever method is used, it is the ID that is responsible to 
chose the method and provide proper DNS records for that method.

But Sender-ID and SPF already *know* where to look for the data they want.

You stick an ID record in there, what are you *really* accomplishing?

Let's say we're looking at a scheme that validates MAIL FROM. Either:

1) The ID and MAIL FROM match.  Why bother?

2) The ID and MAIL FROM don't match.  Now you either have to check the MAIL FROM
*anyhow* and flag an error, or allow the spammer to hand you a valid ID and a
bogus MAIL FROM.

Work through your protocol, and assume that the spammer will *LIE* with whatever
value they think they can get the best results with.

Attachment: pgpRkB7bOK9Ux.pgp
Description: PGP signature