spf-discuss
[Top] [All Lists]

Re: Whitelists instead of SRS

2004-04-22 06:23:55
Tony Finch wrote:
On Thu, 22 Apr 2004, Theo Schlossnagle wrote:

SPF is designed to prevent fraud.  Forwarders use a technique that is
used to commit said fraud.  It is the _technique_ that is a problem and
for an effective system to emerge from all this the techniques that can
be used for fraud must be rendered useless.


Forwarding is not used to commit the kind of fraud (forgeries from
spammers and viruses) that SPF is intended to prevent. Your argument is
begging the question: you claim that forwarding is fraud because SPF
classifies it as fraud, but the correct point of view is that fraud occurs
when someone sends a message "from" an email address they do not have
permission to use.

Forged "from" is a common fraudulent technique.
Current legitimate forwarders use forged "from" to accomplish
the forward and preserve bounce information.

It is not possible to detect/eliminate the first without impacting
the second. Either forwarders need to preserve path information (SRS
or other techniques) and provide their own address for the envelope
from of the forwarded message, or nasty, evil people with fraud in
mind will be able to forge the envelope from to their own purposes.


--
Daniel Taylor          VP Operations            Vocal Laboratories, Inc.
dtaylor(_at_)vocalabs(_dot_)com   http://www.vocalabs.com/        
(952)941-6580x203