spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ebay problem

2004-06-06 07:44:05
from [Carl Hutzler] [Permanent Link]
So use the HELO string for this "new field"? Its before data and it is unusedd to the best of my knowledge. 

christopher(_at_)pobox(_dot_)com wrote:


* Convince Ebay to not forge email addresses.  (They could due SRS,
 for example, or to collect any bounces themselves.)


I *like* the way that my emails through eBay hit the recipient with my
address as the "From" - (they are not figuratively "forged" - I typed
the email in through their web site in the 1st place remember).

It is wrong to try and force other people to do what *we* want,
especially when what they're doing is perfectly reasonable.  It is
also wrong (or at least, exceptionally bad manners) to destroy every
online business that makes a living from this kind of thing (eg:
greeting cards etc) instead of adapting SPF to cater for this instead.

I say we should build something extra into the system so that...
A) If the actual sending MTA did forge an address, the receiving
  SPF-enabled code can make a check to decide whether or not to allow
  this.
B) Add an *extra* SPF field into the spec so that people who want to
  forbid this "authorized spoofing" (example: an online bank) can do
  so if they're utterly convinced that nobody should ever send mail
  as them.

And keep in mind - 99.9% of admin people are going to say "nobody
should ever spoof mail from my domain - period." - and 99.8% of them
are going to be wrong because they didn't think about eBay, PayPal,
greeting cards, web-based office tools, legitimate mailing list
companies, 3rdy party survey organizations, and a load of other legit
things.

Remember - we are creating something that people *are* going to use to
block incoming emails - *we* have a responsibility to ensure that the
barest minimum possible of false positives can result.  ISP's don't
want to tell their customers "it's not our fault you missed out on
some auction, it's eBay who refused to obey our new rules who is to
blame"

There's 3,100,749 registered subnets out there - so you can guarantee
that some of those businesses are going to get unfairly "cut down" by
SPF unless we write something in that protects their livelihood.
We're all smart - it's not that hard to think up good ways to do this.


Seems like the latter would be the best solution for sites like this -
collect the bounces, and use a code in the Subject (for example) to
identify bounces and alert the other party of a message failure. They
should never have really been sending out messages with someone else as

the

sender to begin with.

This is indeed NO solution on my opinion, lets point out the facts:

1)      we publish for all our 1000+ domains spf records with "-all" !!!
2)      nearly 100% is smooth and clear
3)      only some major players like ebay are breaking rfc rules.


A> Exactly. So having everyone stick to the rules is the solution.


but...

ebay is a "must" in our days and if some Mails from ebay will be rejected
with  554 .... our customers will shoot us off to the moon....

so "who" may convince ebay to obey the rules.... i think some times they
and other make the rules ....


A> What was their response when you contacted them with the suggestion?


on this point Meng shoud intervent at @all major sites to reinspect their
email codes not to send with a envelope sender name of the  intented
receiving domain !

to solve this with a hot needle like "if ebay make following if microsoft
do this.... " is not a real solution to help spf  !!!!!!!!
A> How is working around people rather than encouraging them to fit within the A> rules going to "help" SPF? Surely it's going to simply ensure that the same A> problem continues for everyone else, as well as for you with the next site A> that decides to follow eBay? 


so meng  please give your opinion for a possible and fast solution to this
dillema !!!

i postet two times to this list but no real answers are comming back..

my alterenatives for all domains are for now to switch them to "?all"...
rediciolous in my oppinion...

so please help us an me and our customers with a bunch of real solution
for this dilema no only wise tips...
A> Because you're not being very polite about it. Ridiculing those who do A> respond isn't going to encourage any responses. 

A> -------
A> Sender Policy Framework: http://spf.pobox.com/
A> Archives at http://archives.listbox.com/spf-discuss/current/
A> To unsubscribe, change your address, or temporarily deactivate your subscription, A> please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com 

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com 

--
Carl Hutzler
Director, AntiSpam Operations
America Online Mail Operations
cdhutzler(_at_)aol(_dot_)com
703.265.5521 work
703.915.6862 cell
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Standard for SES (signed envelope sender), Shevek
Next by Date:  Re: A hole in planned phishing-prevention?, Daniel Taylor
Previous by Thread:  Re: ebay problem, wayne
Next by Thread:  RE: ebay problem, George Young1
Indexes:  [Date] [Thread] [Top] [All Lists]