spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: 'explain' etiquette, or is this a security concern?

2004-04-20 08:32:55
from [John A. Martin] [Permanent Link] 
"Wayne" == Wayne Schlitt
"Re: 'explain' etiquette, or is this a security concern?"
 Tue, 20 Apr 2004 09:19:06 -0500


    Wayne> Yes, and the explanation text was:

    Wayne> : (wayne(_at_)footbone) $ sdig explain._spf.chepelov.org txt :
    Wayne> "This site uses SPF to help reduce email forgery\; see
    Wayne> http://spf.pobox.com";

Are we sure that escaping the semi-colon actually results in the
succeeding text going on the wire as part of the SMTP rejection
message?  I don't have a handy way to check that, certainly not for
all MTAs.

    Wayne> Now, there are going to be two types of folks that will see
    Wayne> this message.  There will be forgers/spammers/phishers, and
    Wayne> I really don't much care what they think about anything.  I
    Wayne> suspect few other people much care either.

In the brave new world we inhabit there is a potential for anything
"on the wire" to be recorded, indexed, and archived "forever", or at
least until after the mechanisms we are thinking about now are long
forgotten.

One way to avoid a lot of problems would be for the standard to
stipulate that 'explanation text' is to be optionally logged by the
SPF user but MUST NOT be transmitted to others.  SPF publishers then
would have no expectation that explanation text would be passed along
but at the same time should be wary of what non-compliant entities
might do with it.

There may also be issues with the explanation text appearing in
headers.  Munging headers directly seems to lead to enough confusion
and misunderstanding without the additional problem of attributing who
said what.  In some ways the possibility of malicious or slanderous
text in message headers is a more sensitive issue than what goes into
the SMTP rejection message because we know full well that SMTP content
is being recorded, indexed, and archived _now_.

What is the vital use of explanation text?  Is it simply something
nice to have?  What would be lost by removing explanation text from
the standard?  The gain would be avoiding the problems associated with
providing a new way of propagating text supplied by strangers.

        jam
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: 'explain' etiquette, or is this a security concern?, wayne
Next by Date:  Re: Digest 1.253 for spf-discuss, administrator
Previous by Thread:  Re: 'explain' etiquette, or is this a security concern?, wayne
Next by Thread:  Re: Re: 'explain' etiquette, or is this a security concern?, wayne
Indexes:  [Date] [Thread] [Top] [All Lists]