Shevek wrote:
On Sat, 5 Jun 2004, Daniel Taylor wrote:
SPF is necessary but not sufficient to prevent joe-jobs as it currently
exists. If you do _not_ do something like SPF, protection is unavailable.
SPF and SRS _ARE_ sufficient to prevent joe jobs as they currently exist.
I will stand up and categorically state that if SPF and SRS are
implemented, then there are only three ways in which a spammer can send
you ANY form of mail indirectly:
a) As a reply to a forwarded mail you sent directly to the spammer.
b) Via a forwarding address you set up to yourself.
c) Via a forwarding address the spammer set up pointing to you.
This is explained more fully at http://www.libsrs2.org/srs/srs.pdf, which
I updated yesterday.
Thanks for the link and keeping this up.
The problem with these examples is that there is no requirement of a
relationship between the envelope-From and From:. To force such a
relationship breaks an awful lot, but even the wonderful cryptographic
authentication solutions don't fix the trust problem, so where
does that leave us?
Doesn't matter. From: has nothing to do with joe jobs. Vacation messages,
perhaps, but that's a second layer. The envelope layer works. Use it.
Yes, it works for what it does.
It needs to be used with other methods to protect From:, which
is the root of phishing attacks and a lot of the reputation
damage from joe jobs.
--
Daniel Taylor