spf-discuss
[Top] [All Lists]

RE: HELO vs. envelope checks

2004-05-23 20:45:26
From: Greg Connor
Sent: Friday, May 21, 2004 7:14 PM


--Seth Goodman <sethg(_at_)GoodmanAssociates(_dot_)com> wrote:

From: Greg Connor
Sent: Tuesday, May 18, 2004 12:22 AM


[Regarding SES in combination with localpart macros, exists:%{l}....]


<...>

Looks like I neglected the end of your message.

If SRS was used, we would have to do
SES CBV's on all messages that are SRS rewritten plus messages that are
not SRS rewritten and don't pass SPF.  In other words, the first hop can
trust SPF but beyond that, you need something else.

Right.  Under a smart-DNS scheme, you would do the DNS check any time you
check the original MAIL FROM address... but if the forwarder uses
SRS, you
are now in *their* SPF policy, and they may not have exists: in
the record.
In other words once rewriting has taken place, it's out of your control.
Receivers would do the advanced DNS check on your stuff, but not on any
rewritten stuff (unless the forwarder also has smart DNS :)

The original source address is still inside the rewritten SRS address.  It
would have to be parsed out and checked separately.  SRS does have the
problem that the final recipient verifies the credentials of the machine
handing them the message, but does not validate the return-path.  Even if an
SES address is encapsulated inside an SRS address, it is still worth
checking at the final recipient (and at forwarders who don't care to pass on
forgeries).




The CBV does put
some burden on the recipient, but it averages out to significantly less
than one CBV per received message (the ones that don't have a forwarder
just use SPF).  The sender always has a larger burden, and their average
will be several CBV's per outgoing message.  At least that gets the
proportions right.  Might that not be an acceptable load for each end?


I think that's putting the cost in the right direction... I am guessing
that more receivers will do SPF than CBV so you might get better coverage
with SPF+SES+DNSexists.

This is probably true, so it would be really nice if we could come up with a
practical way to do it via DNS.



Why would the sender get several CBV requests for every outgoing message
again?  I missed that.  (Though it's not hugely important... I'm still
getting your point.)

The sender gets a CBV from each recipient after the first hop, so if there
are multiple forwarders, there are multiple CBV's.  While it was not
intentional, I've overstated this since most messages probably don't have
multiple forwards.  Though it's easy to figure out, here's how it scales
with forwarding hops:

# forwards   CBV's by recipient   CBV's to sender
----------   ------------------   ---------------
    0                0                   0
    1                1                   1
    2                1                   2
    3                1                   3
   ...              ...                 ...
    N                1                   N

While the number of CBV's depends on the number of forwarding hops, it is
apparent that between a given sender and a given recipient, the sender has
to respond to more CBV's, on average, than the recipient has to initiate.
The difference is made up by each forwarder after the first one doing a CBV.

--

Seth Goodman


<Prev in Thread] Current Thread [Next in Thread>