spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ORCPT as an alternative to SRS.

2004-04-18 21:23:17
from [wayne] [Permanent Link] 
In 
<1082273420(_dot_)4735(_dot_)11418(_dot_)camel(_at_)localhost(_dot_)localdomain>
 Mark Shewmaker <mark(_at_)primefactor(_dot_)com> writes:


I would like to suggest the use of the SMTP DSN extension ORCPT


Hi.

The use of the SMTP DSN extensions has been discussed before, although
if I recall correctly, they were centered on the ENVID value rather
than the ORCPT value.



  2.  ORCPT was first introduced in RFC1891, eight years ago.


Unfortunately, writing up standards is often not nearly as important
as writing up code.  A very quick check seems to indicate that
sendmail and MS-exchange have DSN, but postfix, qmail and exim
don't. Daniel Burnstein, the author of qmail, seems to think that DSN
is obsolete and that VERP is better.

Have you checked into how widely supported DSN actually is?



Or to be more precise, I would suggest changing SPF to:

  1.  Allow recipients to set a Recipient Policy in which the
      Recipient can choose between saying one of these three
      things:  (I'm speaking loosely here.)


I think being able to do per-user SPAM filtering is a good idea, but
they are really local policies rather than something that needs to be
addressed in the SPF spec.



  2.  Then, when running SPF tests on incoming emails:

      o  If there is a value of ORCPT that matches the Recipient's
         Policy, run an SPF test using that ORCPT value.


How do we know that the envelope from is trustworthy just because the
ORCPT value passes?


[snip]


What is the advantage of checking the ORCPT hand having a local
(per-user) whitelist based on it rather than just whitelisting the
forwarder?

I'm not an expert on DSN, but shouldn't an email forwarder have a
one-to-one relationship between the email address it accepts email on
(the ORCPT value) and the email address it forwards to (the RCPT TO
value).  That is, sending email to foo(_at_)pobox(_dot_)com should always send
email to bar(_at_)example(_dot_)com (RCPT TO value) with an ORCPT value of
foo(_at_)pobox(_dot_)com(_dot_)

So, couldn't the bar(_at_)example(_dot_)com just whitelist pobox.com?  Yeah, I
guess it is possible for an email forward to start spamming, but there
are other ways of dealing with that.


Anyway, I like the idea of using an SMTP extension of some sort
instead of having to do SRS, but I suspect that we will have to do SRS
for quite a while.  :-<


-wayne
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Security Paper on forgery bounce DDoS, Seth Goodman
Next by Date:  Re: Security Paper on forgery bounce DDoS, Greg Connor
Previous by Thread:  ORCPT as an alternative to SRS., Mark Shewmaker
Next by Thread:  Re: ORCPT as an alternative to SRS., Mark Shewmaker
Indexes:  [Date] [Thread] [Top] [All Lists]