On Sat, 5 Jun 2004, Daniel Taylor wrote:
Shevek wrote:
Given that the purpose of SPF was to prevent joe jobs, why are we having
this discussion?
When you have a hammer, everything looks like a nail.
In this case, we seem to have a nail, and SPF has a hammer costume on. But
it isn't a hammer.
SPF is necessary but not sufficient to prevent joe-jobs as it currently
exists. If you do _not_ do something like SPF, protection is unavailable.
SPF and SRS _ARE_ sufficient to prevent joe jobs as they currently exist.
I will stand up and categorically state that if SPF and SRS are
implemented, then there are only three ways in which a spammer can send
you ANY form of mail indirectly:
a) As a reply to a forwarded mail you sent directly to the spammer.
b) Via a forwarding address you set up to yourself.
c) Via a forwarding address the spammer set up pointing to you.
This is explained more fully at http://www.libsrs2.org/srs/srs.pdf, which
I updated yesterday.
The problem with these examples is that there is no requirement of a
relationship between the envelope-From and From:. To force such a
relationship breaks an awful lot, but even the wonderful cryptographic
authentication solutions don't fix the trust problem, so where
does that leave us?
Doesn't matter. From: has nothing to do with joe jobs. Vacation messages,
perhaps, but that's a second layer. The envelope layer works. Use it.
S.
--
Shevek http://www.anarres.org/
I am the Borg. http://www.gothnicity.org/