spf-discuss
[Top] [All Lists]

Re: Attacking the throwaway-domain problem

2003-10-15 08:13:21
In <20031015144902(_dot_)GA13477(_at_)arbat(_dot_)com> Erik Corry 
<erik(_at_)arbat(_dot_)com> writes:

Hi,

I thought I could provide a useful way at looking at what
SPF is proposing to do and how, but it seems that you
object to my use of words.

On Wed, Oct 15, 2003 at 09:19:27AM -0500, wayne wrote:

How and whether the IP address is authenticated is beyond the scope of
          ^^^^^^^
the SPF proposal.

This discussion of nomenclature isn't getting us anywhere, but
I'll point out that without any IP address authentication SPF
would be quite useless.

No, SPF can still be useful, even if an IP address us unauthenticated.

Imagine a website that allows someone to enter an IP address and a
domain name and gets back information about whether that IP address
has been authorized by that domain to send email from.  The IP address
is totally unauthenticated and could easily be a typo.  However, SPF
is still very useful for answer the authorization question.

Similarly, anti-spam systems such as SpamCop allow you to enter an
email message.  The email is parsed and check to see where really came
from and where to send UBE abuse complaints to.  SpamCop could use SPF
to check for violations in domain usage.  However, SpamCop has no way
of authenticating that the email the user entered is in anyway
"real".  It could be made up in a text editor and have never seen an
actual mail program.  In fact, I have done just that a couple of times
to test various things.

Authentication != Authorization

SPF is about authorization.


The problem with SPF is that it doesn't provide the middle man
anything he can show to the next step in the chain that proves
that he (the middle man) made a real attempt to verify the origin
of the mail.

True, but SPF also doesn't slice bread.

SPF can only check to see if a given IP address is authorized to send
email using a given domain name.  In the most common usage, SPF can
only check the envelope-from of the latest hop.  In the case of
multiple hops, you either need to trust your upstream, or the upstream
must use the Sender Rewrite System to change the envelope-from.


           Domains can be created out of thin air for pocket change,
esp. if you allow 3rd level domains to publish their own SPF data.

Use graylisting.

We can do that now.  SPF may make it marginally more useful.

Actually, I think SPF makes graylisting much more useful.  The
techniques that spammers can easily use to get around graylisting are
stopped by SPF and the techniques that get around SPF are stopped by
graylisting.  They complement each other very well.


With pressure applied to the registrars it could be considerably
more useful.

I'm not going to debate whether authenticating people is more useful
or not.  It is not very relevant to SPF, however.



-wayne

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡