spf-discuss
[Top] [All Lists]

Re: Maybe simple question

2003-12-14 09:30:52
Edward Ned Harvey wrote:

Picture this: [...]

I would strongly suggest that you re-read the SPF website, specifications, and draft, as nothing you have yet written leads me to believe that you understand how SPF is either intended or designed to work.

AOL creates a corporate policy that allows me to send mail from
nedharvey.com using their smtp servers, and I send through them using smtp
auth.  Right now I have about 5 domains, plus the company I work for, plus
their alternate domains, so all in all they should allow me to send mail
from about 8 domains.

In SPF terms, this doens't require AOL to do anything. It requires *you* to either set up your own SMTP server or set your SPF records with +include:aol.com.

Yes, if you put this in, you allow all AOL subscribers to imitate you. It's the price you pay for taking the solution that's easiest to yourself.

Your unwillingness to make an effort to create clear outgoing mail paths for mail from your own domains is not a weakness in SPF. It is a weakness of the basic naievity of SMTP, and the policies of many ISPs that essentially allow outoging forgery.

In time, these policies will become as unacceptable as operating entirely open relays.

Sometimes my brother or friends will come over with their laptops and want
to do their email on my network.

Then they, as responsible internet users, will either use SMTP-auth to use their own servers, or include your network in their SPF records.

I can go register other domains as I wish, and AOL has to let me send mail
from those domains. etc etc.
No, they don't. They may currently configure their SMTP servers in this way, but that's just their current choice.

If they require proof that I'm authorized to send from these domains, they
will need to hire staff to process all that, for me and thousands of other
customers.  It is a significant expense to AOL if they want to support
people sending from other domains.

This is an SMTP issue, NOT an SPF one. However, to take the flipside, if AOL were to properly configure their SMTP servers, it would place the cost on those causing the problem, and remove the cost of receiving spam from the recipients of the problem.

If they don't require proof, then anybody can spam from there.

As they already can, but I can (and have) put SPF records on *my* domains to stop them pretending to be me when they do so.

Yet some isp's won't allow customers to send from other domains.  Some isp's
will only allow their customers to send from isp.com.  This makes isp.com
cheaper.

And more responsible.

In short, people who send from domains other than isp.com will have to pay
more.

Consider it the "polluter pays" principle.

You're saying I have to pay to use SPF.

No. You're rather clumsily trying to put words into someone else's mouth to justify your own dislike of SPF.

Plus, there are many many locations where customers have no choice about
ISP's.  For example, people who live in the woods and have only one local
number to call, for one local ISP.  These people are *forced* to comply to
the policy of whatever isp is there.

That ISP has a commercial choice to adapt or die. No matter how many captive customers it has, no ISP can survive when their outgoing mailservers are universally blacklisted.

In Boston, I would be forced to use rcn's policy, or comcast's policy,
because they're the only cablemodem providers here.  What shall I do if they
decide I can only use mail(_at_)rcn(_dot_)com or mail(_at_)comcast(_dot_)com?

If they decided that all their clients had to share one email address between them, I would indeed be worried.


Your entire opposition to SPF appears to be based on the laziness or irresponsibility of users and service providers. Previously, these could go unpunished by the greater community of users, as there was no way of detecting this sort of abuse of the SMTP system. SPF, however, allows detection of this behaviour, at which point appropriate action can be taken.

If it really is the case that SPF requires a tightening-up of email policies and server configurations, so much the better - this is long overdue. If that's the only thing SPF acheives (and I don't believe that for a second), it will still be worth the effort put in.

Consider this is the light of SMTP. As one of the early internet protocols, it was written with hard-coded naievity; every server was expected to be an open relay, because everyone online could be trusted. We've since found this to be a flawed assumption, and so the first generation of SMTP-hardening has occured; open relays were closed. And there was no massive backlash against people closing their servers (except for a few desperate spammers); instead the backlash is against those who have *not* adapted, who have *not* made an effort for what I can only call "the greater good".

There were some issues for that; some people weren't "near" their own relays and so suffered from the global lockdown. And of course there were solutions; Poll-Then-Post behaviour (eg Geocities) and SMTP authentication. There were a few growing pains, but the vast majority of 'net users accepted these as neccessary. Nowadays, anyone who protested against the lockdown looks rather silly in hindsight.

It will happen just the same for SPF. There will growing pains, and complaints, and there will be solutions (eg SRS, more use of SMTP-AUTH, and VPNs) but the net result will be the one globally desired.

        Wechsler

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.3.txt
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡


<Prev in Thread] Current Thread [Next in Thread>