On Sat, Jan 31, 2004 at 07:47:21AM -0800, John Warren wrote:
| > 2) ISPs ensure that all end-user accounts are funneled through the ISP's
| > mail servers. They can either use SS or just block port 25.
| > Business DSL may or may not want to also take advantage of this
| > protection. This is already the recommended configuration anyway.
|
| Again only for their own customers. If the customer runs their own mail
| server then the ISP does not touch the traffic. The customer has to
| request that port 25 blocking be removed and that the ISP can test
| their mail server to make sure it does not run as an open relay.
Agreed. But first they will make the the customer sign some kind of
indemnification. "You will not forge messages" is already in many AUPs.
This is just the next logical step.
Suppose an ISP mailserver acts as a relay for outbound spam carrying
forged envelope/header information. Suppose the bounces from that spam
end up hosing a third party's mail server due to the joe job. Could
that third party sue the ISP for negligence?
If you put a swimming pool in your backyard you have to also put up a
fence to keep the neighbourhood kids from drowning.
You can argue foreseeability, duty, etc but it's academic unless you
really want to be the test case.
Cautious ISPs will put up the fence. That fence doesn't have to be
absolute; it just has to respect whatever assertions the purported
domain has made. That's why checking outbound SPF makes sense. It's a
reasonable standard of caution that doesn't make life impossible for
normal people. Domains that don't publish SPF don't get the benefit of
the doubt. Domains that do publish SPF get an added layer of protection
because cautious ISPs respect their records. If a vanity domain says
include:isp.com then everything's square.
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡