On Tue, 2004-04-13 at 07:36, David wrote:
Very good idea - when someone publishes SPF records, it indicates that
they care.
wrong, it only indicates which hosts ara authorized to send mail for a
given domain, there is no indication on the spf record to tell if the
owner cares or not. Now your assumption will likely be true, but this
is only a 'guess'
I've thought a bit about this, and the only scenario I could come up
with where the owner of a domain name may not particularly care is when
they have parked the domain at their registrar and the registrar
(controlling the dns) has published a default -all record on behalf of
the owner.
If the owner does not care about responsibility, why would they bother
with SPF in the first place? By publishing a record stating which hosts
are authorized to send mail on your domain's behalf, is that not
fundamentally saying that you care which hosts may send mail? And if
one of your authorized hosts is spamming, are you not accepting
responsibility for that by enabling the receiving machines to identify
that the spam did in fact come from one of your authorized hosts as
opposed to a forgery? I really can't think of any plainer way to say
it; publishing SPF indicates that the entity in question does care,
otherwise they wouldn't bother.
Now if a separate entity like a registrar is publishing on behalf of
someone else, that's a different scenario. What I'm talking about is
when the actual owner/administrator of a domain publishes SPF records
for that domain.
--
Dustin D. Trammell
Vulnerability Remediation Alchemist
Citadel Security Software, Inc.