spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Unnecessary complication in SES - what does it really do?

2004-06-06 15:13:32
from [Shevek] [Permanent Link] 
Points in reverse order:

On Sun, 6 Jun 2004, Seth Goodman wrote:


SES gives the spammer something he didn't have before: An address with a
signature attached saying "This mail is valid." It also requires
modification of every MSA, MTA and MUA, while SRS requires only
modification of forwarding MTAs.


SES is relatively simple to implement and gives the implementer immediate
protection against forged bounce spam.  SRS is relatively complicated and
does not give anyone protection against forged bounce spam.  If you want
protection against forged bounce spam, SES is the easiest way to get there.
The recent informal poll that Meng conducted showed what we've feared all
along but didn't want to say publicly:  SRS is seen by most parties as
undesirable and hindering SPF adoption.  I'm sorry if you consider that
result distasteful or wrong, but please don't shoot the messenger.


If this is all SES is doing then why are we messing around with RSPs
and stuff? If it doesn't stop joe jobs, it doesn't stop phishing,
and by "forged bounce spam", I suspect you just mean mails with a source 
of <>.

The simple explanation of SES is "A technique to restrict what addresses
may be mailed from a sender of <>." So K.I.S.S. It's this simple form in
which I support SES, and no other. The other stuff is all unnecessary
complication.


We still need a single coherent document describing this protocol. It
needs to be stated, for every possible case of replay, by any party, to
any party, why it is possible or impossible.


As soon as Meng can achieve a general consensus among the parties he is
negotiating with, I agree that needs to happen.  Until then, we all have to
debate the ideas as they are expressed, even if they are not formal enough
to satisfy all tastes.


It's barely formal enough to support discussion.


6) "If the forwarders, how is it different from SRS?"

Forwarders do not sign the MAIL FROM:.


This leaves them open to the 5 party attack documented at
http://www.libsrs2.org/srs/srs.pdf.


SRS is also vulnerable to the 5-party attack and that doesn't seem to be of
much concern.  Why is it here?


SRS is not vulnerable to the 5 party attack. Read the paper. Please.

S.

-- 
Shevek                                    http://www.anarres.org/
I am the Borg.                         http://www.gothnicity.org/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Re: SUBMITTER is a bad idea, Seth Goodman
Next by Date:  OT was RE: Released: Microsoft IIS and Exchange Support, Michel Py
Previous by Thread:  RE: ENVID to prevent forged bounces with SUBMITTER?, Seth Goodman
Next by Thread:  RE: Unnecessary complication in SES - what does it really do?, Seth Goodman
Indexes:  [Date] [Thread] [Top] [All Lists]