On Fri, Jan 30, 2004 at 12:34:39PM -0600, Dustin D. Trammell wrote:
| Fridrik Skulason wrote:
| > However, the worm can also attempt to send out the mail just as if
| > the "real" user of the machine was sending the mail, by connecting to
| > the mail server (POP, IMAP ir whatever) and in that case the mail
| > would be indistinguishable from regular mail from that domain as far
| > as SPF is concerned.
| >
| > In the second case SPF will not help.
|
| In the second case, could the ISP not do something similar to what Meng
| is doing for pobox.com with a per-user policy?
Actually in the second case it would be the ISP's responsibility to make
sure the worm didn't go out. ISPs today have to assume their broadband
customers have already been subverted and made into unwitting pawns of
an evil conspiracy.
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200401/1366.html
The rest of this message addresses a per-user exemption using "exists:".
| Using dynamic DNS, when a specific user receives a network address,
| they could add a specific SPF policy stating that this user may send
| as user(_at_)ISP from the network address they just received, then use
| internal SPF checking on their outbound mail servers to block it
| sending as any other envelope? If I recall, SPF was designed to be
| this flexible, but I haven't been keeping up on the macros to give you
| an example. Meng, would this be possible?
Yes, this would be possible.
People often ask me about the situation where user(_at_)acm(_dot_)org wants to
send
mail using isp.com's mail servers.
The answer I give them is: in the common case isp.com could disallow it.
But isp.com could in theory perform SRS on outbound mail and encapsulate
the acm.org return path. But that means the ISP has to trust the user
not to be a spammer trying to joe-job someone.
In a perfect world, acm.org could add a per-user exemption allowing user
to mail through isp.com. If ISP.com really, really cared about its
users, it could do then check SPF, pre-emptively, on outgoing mail, to
see if it needed to do SRS at all.
But that's in a perfect world.
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡