Shevek wrote:
I appreciate the political constraints introduced by attempting to
cooperate with uncooperative parties with differing agendas to that of
SPF, but what is being achieved here is a total destruction of the utility
of the protocol.
It seems like we are spending an inordinate amount of time on repudiating
Microsoft's SPF proposals/extensions... Pretty soon Meng is going to have a
mauled twig instead of an olive branch, eh?
Well, I was one of those who called the SUMITTER idea "brilliant", but now I'm
finding it less attractive.
Shevek wrote:
There is a suggestion to extend the mail protocol to have both SUBMITTER,
the "responsible address" or PRA, and MAIL FROM, the "origial source" of
the message. The PRA is validated according to SPF rules. The MAIL FROM
recieves bounces.
But suddenly we are verifying one address and sending bounces to another!
Ok, so the only valid counter-argument I can think of is:
"Everyone will be using whitelists, so the SUBMITTER will have to be on your
whitelist to create these forged bounces. If they start forging, remove them
from your whitelist."
However, if many of the whitelists are publicly maintained (not per-MTA), a
spammer with a whitelisted domain (or cache of them) could create a huge number
of forged bounces via all the subscribed MTAs before being noticed and
de-listed.
Greg Connor wrote:
I believe 1. that having a SUBMITTER value that
is guaranteed to Pass is good, even if we may be vulnerable to bouncing to
someone innocent, and 2. that there is no advantage to spammers to do so...
they are not getting their message in front of new eyeballs inaccessible to
them before, so there is no reason for them to go to the effort of
redirecting their bounces (and exposing their identity to do so) if it
doesn't buy them anything.
It buys them the ability to not receive the bounces (perhaps do DoS attack on
small guys) for the cost of a domain. Maybe not a really cost effective plan,
but I find that some people (especially spammers) will exploit a security whole
just because it exists.
Ideally, the cost of the domain and/or whitelisting would be very high, but
that isn't the case right now (when SUBMITTER is most relevant).
Finally, I've thought a lot about SRS vs. SUBMITTER in the past few days.
SRS:
ugly
not exploitable
requires upgrading only the MTAs which forward
SUBMITTER:
pretty
bounce forgery is exploitable
requires upgrading ALL MTA which wants to receive a forward (much larger pool)
Personally, I prefer the ugly guy who gets the job done right.
Michael R. Brumm