On Fri, 23 Jan 2004, Mark Shewmaker wrote:
: > The decision at hand is:
: >
: > How important is it to reject forgeries before DATA vs after DATA at "."
time.
:
: Okay, I'm not an ISP, (IANAISP--or does IANANISP look better), but:
:
: Why not both?
Because DATA can be arbitrarily large, and requires consumption of the
entire message. Most MTAs will choke if the DATA phase terminates abruptly
without consuming all data, and will turn around and send the message again.
This is a bandwidth waste problem. There's another, legal, problem with
rejecting after DATA; see below for more explanation.
Thus, reliable, well-deployed mail rejections must happen before DATA.
Sending a 5xx after DATA is "filtering", not "rejection", because the SMTP
agent had to accept the data before sending the 5xx!
Sure, go ahead and provide *suggestions* on how to implement filtering using
SPF and DATA-phase headers. PLEASE DO NOT MAKE THIS A "MUST" OR "SHOULD" IN
A RFC-TARGETED SPEC. Doing so will seriously degrade the feasibility of SPF
(even if dubbed "v2") implementation in most large ISPs.
<decloak style="frosted-glass">
I happen to know the internal folks of one such large ISP, and why they will
not implement SPF if it requires body checks.
</decloak>
: My bias is that I'd be rather put-off by an ISP pushing
: deterministic anti-forgery tests onto me because they didn't want to
: spend the CPU to do it themselves at the get-go and generate a
: proper reject when the opportunity existed.
ISPs can also get into legal trouble in some jurisdictions because only
rejection at RCPT TO time can provide each end-user the ability to choose
whether or not to use a given type of filter. Rejection at both MAIL FROM
and DATA have the effect of rejecting all recipients in a multi-recipient
mail.
: In any event, I'm guessing that spf2 will probably contain functionality
: that would require tests of the whole message anyway.
I sure hope not. I might as well pack up on the SPF idea and go home if it
turns into just another "filtering" scheme, because it'll end up being no
more useful than all the other filtering I have to do today.
SPF needs to provide determinism at the protocol level -- before a whole
message is accepted.
--
-- Todd Vierling <tv(_at_)duh(_dot_)org> <tv(_at_)pobox(_dot_)com>
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡