spf-discuss
[Top] [All Lists]

Re: Re: 'explain' etiquette, or is this a security concern?

2004-04-20 09:24:59
In <87ekqislzs(_dot_)fsf(_at_)athene(_dot_)jamux(_dot_)com> "John A. Martin" 
<jam(_at_)athene(_dot_)jamux(_dot_)com> writes:

"Wayne" == Wayne Schlitt
"Re: 'explain' etiquette, or is this a security concern?"
 Tue, 20 Apr 2004 09:19:06 -0500

    Wayne> : (wayne(_at_)footbone) $ sdig explain._spf.chepelov.org txt :
    Wayne> "This site uses SPF to help reduce email forgery\; see
    Wayne> http://spf.pobox.com";

Are we sure that escaping the semi-colon actually results in the
succeeding text going on the wire as part of the SMTP rejection
message?  [...]

It is up to the SPF support code for the the particular MTAs to make
sure that explanation strings get correctly sent to the sending MTA.
I'm sure there are bugs in some and they should be fixed.


    Wayne> Now, there are going to be two types of folks that will see
    Wayne> this message.  [badguys -> don't care;
    Wayne> legit users of domain -> no problem]

There may also be issues with the explanation text appearing in
headers.

I know of no SPF implementation that adds the explanation text to the
email headers.  I have pondered doing so in libspf-alt every once and
a while, but the text can be very long and couldn't see much value to
it.  Now that this discussion has come up, I can see a good reason not
to ever add it to the email headers.


What is the vital use of explanation text?  Is it simply something
nice to have?  What would be lost by removing explanation text from
the standard?  The gain would be avoiding the problems associated with
providing a new way of propagating text supplied by strangers.

The explanation text is a way for domain owners to communicate with
the users of their domain.

Consider the case of an ISP in Elbonia, where the law says that they
must present information in both Elboneese and Sanskrit.  So, isp.eb
could have an explanation of "Mungo/ark: http://isp.eb/why.html?...";
On the why.html web page, it could present the information in the
appropriate languages, explain isp.eb's AUP about using their domain
name and give the users the ability to request exceptions and such.

While such things are not critical to SPF, it sure is a very nice
thing to have available.


Again, the only people who will see the explanation text are spammers
and such who have forged the domain name and legitimate users of the
domain name that need to be given a clear explanation *to them* about
the correct use of the domain name they are using.


-wayne