-----Original Message-----
From: Edward Ned Harvey [mailto:spf(_at_)nedharvey(_dot_)com]
Sent: Monday, December 15, 2003 5:52 PM
To: Spf-Discuss
Subject: RE: [spf-discuss] Maybe simple question
[snip]
Poor Joe can't do anything about it. Consider his options:
1- If he's technically savvy, he receives a flood of bounce messages and
figures somebody must be hijacking his email address, so he reports the
incident to isp.net. Isp.net can probably stop the messages now. But they
won't catch the spammer, because the spammer won't use his own isp or his
own account for the attack -- the spammer will always hijack somebody else's
computer for that purpose. Meanwhile, 100 million spams have already been
delivered.
Hijacking a computer is not covered by SPF. However, the spammer must now hijack
a computer that's in the correct ISP for the domain that they're forging.
Presto, you've
eliminated 99% of the zombies, now you're limited to the few that belong to the
ISP.
2- Joe can take isp.net out of his dns records, but then poor joe can't send
email from isp.net. What's more, 100 million spams have already been
delivered, and the dns changes won't propagate fast enough to stop the rest
anyway.
Well, Joe is a domain holder, and Joe has to face a decision. He has to
options: He can
either accept the risk of allowing his domain to be forged, by all of the
people who are
allowed to relay mail through his ISP's relay, resulting in reputation damage
to his domain,
or resort to other means.
If he is technologically savvy, he can maintain his own SMTP server (doesn't he
have one
anyway, if he's a domain owner? oh, that's right, he has his ISP hold it for
him and deliver
anything(_at_)joesdomain to his POP3 box). He can set up a simple relay server
on his
machine, and point the SPF record to his (static) IP.
If he doesn't have a static IP, he can sign up with one of the dynamic DNS
providers like
dyndns, and have his SPF record contain:
joedomain.com IN TXT "v=spf1 +a:joeslaptop.dyndnsprovider.net -all"
This way he can take his laptop anywhere, even to another ISP, and send email
to his
heart's content.
If Joe wants to let other people send mail from his domain, he can either set up
authenticated SMTP for them, or sign them up to a dynamic DNS service and set up
the SPF record to include all his buddies.
One things may still happen: The ISP may block port 25 for outgoing
connections. In this
case Joe can either take his chances with the Joe-job or take his business to a
different
ISP, if that's available.
But let's look at the broader sense: Why do ISPs block port 25? They block port
25
BECAUSE spamming and spoofing is possible. If SPF is widely adopted, why would
ISPs
bother with port blocks? Let them spammers try, their dial-up IP address won't
be found in
any SPF records.
The downside of this is that people who own their own domain will eventually
have to either
run their own SMTP servers (even if it's on their home machines) which has some
disadvantages
(namely deferred messages handling).
-- Arik
**********************************************************************
This email and attachments have been scanned for
potential proprietary or sensitive information leakage.
PortAuthority(TM) Server
Keeping Information Inside
Vidius, Inc.
www.vidius.com
**********************************************************************
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦¾Øß´ë�ù1I�í-»F�qx(_dot_)com