Re: Maybe simple question
2003-12-14 09:30:52
Edward Ned Harvey wrote:
Picture this: [...]
I would strongly suggest that you re-read the SPF website,
specifications, and draft, as nothing you have yet written leads me to
believe that you understand how SPF is either intended or designed to work.
AOL creates a corporate policy that allows me to send mail from
nedharvey.com using their smtp servers, and I send through them using smtp
auth. Right now I have about 5 domains, plus the company I work for, plus
their alternate domains, so all in all they should allow me to send mail
from about 8 domains.
In SPF terms, this doens't require AOL to do anything. It requires *you*
to either set up your own SMTP server or set your SPF records with
+include:aol.com.
Yes, if you put this in, you allow all AOL subscribers to imitate you.
It's the price you pay for taking the solution that's easiest to yourself.
Your unwillingness to make an effort to create clear outgoing mail paths
for mail from your own domains is not a weakness in SPF. It is a
weakness of the basic naievity of SMTP, and the policies of many ISPs
that essentially allow outoging forgery.
In time, these policies will become as unacceptable as operating
entirely open relays.
Sometimes my brother or friends will come over with their laptops and want
to do their email on my network.
Then they, as responsible internet users, will either use SMTP-auth to
use their own servers, or include your network in their SPF records.
I can go register other domains as I wish, and AOL has to let me send mail
from those domains. etc etc.
No, they don't. They may currently configure their SMTP servers in this
way, but that's just their current choice.
If they require proof that I'm authorized to send from these domains, they
will need to hire staff to process all that, for me and thousands of other
customers. It is a significant expense to AOL if they want to support
people sending from other domains.
This is an SMTP issue, NOT an SPF one. However, to take the flipside, if
AOL were to properly configure their SMTP servers, it would place the
cost on those causing the problem, and remove the cost of receiving spam
from the recipients of the problem.
If they don't require proof, then anybody can spam from there.
As they already can, but I can (and have) put SPF records on *my*
domains to stop them pretending to be me when they do so.
Yet some isp's won't allow customers to send from other domains. Some isp's
will only allow their customers to send from isp.com. This makes isp.com
cheaper.
And more responsible.
In short, people who send from domains other than isp.com will have to pay
more.
Consider it the "polluter pays" principle.
You're saying I have to pay to use SPF.
No. You're rather clumsily trying to put words into someone else's mouth
to justify your own dislike of SPF.
Plus, there are many many locations where customers have no choice about
ISP's. For example, people who live in the woods and have only one local
number to call, for one local ISP. These people are *forced* to comply to
the policy of whatever isp is there.
That ISP has a commercial choice to adapt or die. No matter how many
captive customers it has, no ISP can survive when their outgoing
mailservers are universally blacklisted.
In Boston, I would be forced to use rcn's policy, or comcast's policy,
because they're the only cablemodem providers here. What shall I do if they
decide I can only use mail(_at_)rcn(_dot_)com or mail(_at_)comcast(_dot_)com?
If they decided that all their clients had to share one email address
between them, I would indeed be worried.
Your entire opposition to SPF appears to be based on the laziness or
irresponsibility of users and service providers. Previously, these could
go unpunished by the greater community of users, as there was no way of
detecting this sort of abuse of the SMTP system. SPF, however, allows
detection of this behaviour, at which point appropriate action can be taken.
If it really is the case that SPF requires a tightening-up of email
policies and server configurations, so much the better - this is long
overdue. If that's the only thing SPF acheives (and I don't believe that
for a second), it will still be worth the effort put in.
Consider this is the light of SMTP. As one of the early internet
protocols, it was written with hard-coded naievity; every server was
expected to be an open relay, because everyone online could be trusted.
We've since found this to be a flawed assumption, and so the first
generation of SMTP-hardening has occured; open relays were closed. And
there was no massive backlash against people closing their servers
(except for a few desperate spammers); instead the backlash is against
those who have *not* adapted, who have *not* made an effort for what I
can only call "the greater good".
There were some issues for that; some people weren't "near" their own
relays and so suffered from the global lockdown. And of course there
were solutions; Poll-Then-Post behaviour (eg Geocities) and SMTP
authentication. There were a few growing pains, but the vast majority of
'net users accepted these as neccessary. Nowadays, anyone who protested
against the lockdown looks rather silly in hindsight.
It will happen just the same for SPF. There will growing pains, and
complaints, and there will be solutions (eg SRS, more use of SMTP-AUTH,
and VPNs) but the net result will be the one globally desired.
Wechsler
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.3.txt
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Maybe simple question, (continued)
- Re: Maybe simple question, Ned Harvey
- Re: Maybe simple question, Meng Weng Wong
- RE: Maybe simple question, Edward Ned Harvey
- Re: Maybe simple question, Meng Weng Wong
- RE: Maybe simple question, Edward Ned Harvey
- Re: Maybe simple question, Alan Hodgson
- RE: Maybe simple question, Edward Ned Harvey
- Re: Maybe simple question, Ask Bjørn Hansen
- RE: Maybe simple question, Edward Ned Harvey
- Re: Maybe simple question,
Wechsler <=
- RE: Maybe simple question, Edward Ned Harvey
- Re: Maybe simple question, Meng Weng Wong
- RE: Maybe simple question, Aredridel
- Re: Maybe simple question, marrandy
- Re: Maybe simple question, Ask Bjørn Hansen
- RE: Maybe simple question, Edward Ned Harvey
- Re: Maybe simple question, Brian Hatch
- RE: Maybe simple question, Edward Ned Harvey
- Re: Maybe simple question, Brian Hatch
- RE: Maybe simple question, Greg Connor
|
|
|