In <20040213153352(_dot_)GA12388(_at_)uk(_dot_)tiscali(_dot_)com> Brian Candler
<B(_dot_)Candler(_at_)pobox(_dot_)com> writes:
I've been reviewing the SPF proposal, in particular the objections listed at
http://spf.pobox.com/objections.html
Thank you for reviewing SPF and SRS. The more eyes that go over it,
the better it will be.
(1) If the SPF proposal is widely adopted, I'd expect spammers just to start
sending spams with null envelope senders, i.e.
MAIL FROM:<>
RCPT TO:<me(_at_)mydomain(_dot_)com>
This doesn't help the spammer at all. If the envelope-from is null,
then SPF uses the HELO domain because the HELO domain is sending the
bounce. All the spammer has done is moved the requirement from one
spot to another.
SRS-signing outgoing messages is easily implemented an ISP. And as soon as
they have done that, they can configure their inbound MTA to reject incoming
bounces which are not to SRS-signed addresses.
Good point! I hand't thought of that!
Right now, there isn't any real way to distinguish a real bounce from
a fake bounce, but SRS gives the ISPs an option to do this. Sadly,
the format of the bounce messages is not document and varies widely in
real live. You can't count of message-ids or any sort of header being
preserved in the body of the bounce. It takes a lot of parsing to
even determine which MTA (and version of the MTA) created the bounce
and therefore determine if it is even plausably legitimate.
Hang on - suddenly we seem to have the same sort of protection that SPF is
supposed to give, without having implemented SPF at all!
Agreed!
In other words:
- signing your outgoing mails with SRS and rejecting unsigned bounces, is
similar to publishing an SPF policy
- implementing callback filtering on a receiving host is sufficient to
honour that policy
SRS and SPF don't completely overlap. SRS requires knowing a secret,
which roaming users are unlikely to know. Many (most?) ISPs consider
having to do a callback to be way too expensive.
SPF and SRS are completely independent solutions to different
problems. People can freely use one without the other, although using
both is A Good Idea.
Mail relays which receive srs0-signed messages could convert them into srs1
messages, as per the SRS specification; but actually if you drop the whole
SPF business because it's no longer needed, [ ... ]
Callbacks are too expensive to consider dropping SPF.
Sorry for a long post, and thanks for listening :-)
Thanks for posting!
-wayne