Nicolas Bougues wrote:
On Wed, Oct 15, 2003 at 11:43:59AM -0500, Dustin Trammell wrote:
What would you do then ? Systematically refuse mail from
wildcard-SPF ? If not (and I believe, probably not), what's the
point ? You accept the mail, anyway.
Checking wildcard can be useful at the policy level : this would
be a nice addition to spamassassin scoring.
I think that actually was the point. By taking into account this
factor in SPF, you could add an entry in the mail header that your
filtering software could use to make a more informed decision.
I was assuming that spamassassin would himself make that kind of SPF
lookup. Basically, it's a matter of local policy : it doesn't change
the RFC. I want my MTA to be fast, and avoid unnecessary traffic. If
this wildcard SPF test is just meant to give a clue to spamassasin,
well, just let him do it, he's already doing *lots* of things.
I agree, it would be a better place to do the check at the filter rather
than the MTA, but that requires the functionality to be built into the
filter so that it can check SPF itself. I believe most filters already
contain the functionality to check header entries. One option is the
better implementation, the other is the faster implementation. Both
would work about as well...
Well, they at least have the credit card number which hopefully is
real, and identifies the holder quite well. They would be required by
authorities to give any info they have in case of legal action.
You assume that everyone pays for their domain names with credit cards.
I do, but I also don't mind the registrar knowing who I really am. Some
registrars accept payment via (e)check, money order, paypal, western
union, carrier pigeon, etc., which people will use to hide their
identities. Ask the Oracle (search google) for: "register" + "domain" +
"your payment method of choice" and you will more than likely find many
registrars willing to take your money.
In a perfect world, registrars world make a considerable effort to
properly identify their registrants, which would make such an identifier
as has been suggested easily implementable. And like I mentioned
before, in the real world, some may make the effort and some may not.
Where the customers go, and what type of customers go there, would
indeed provide additional information to a reputation system such as has
also been suggested.
My feeling is, the spammers will switch to (or stay with) the registrars
that do not require proper ID and don't provide an indicator on the
domain whois records, and entities with legitimate domain names that
want extra protection will switch to (or stay with) the registrars that
do. Like I've said before, it's completely voluntary on the registrar's
part, and it really would provide no benefit anyway until
anti-spam/virus mechanisms are able to use such an identifier to their
benefit in making a decision. This functionality being available is
what will drive the customers of the registrars to start asking for the
identifier, which will hopefully in turn cause some registrars to begin
providing it.
---
Dustin D. Trammell
Vulnerability Remediation Alchemist
Citadel Security Software, Inc.
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦¾Øß´ë�ù1I�í-»F�qx(_dot_)com