On Thu, 10 Jun 2004, Seth Goodman wrote:
Here are some ideas on how to get SPF to do originating address validation,
[ some excellent ideas ... ]
Just wanted to point out that the the recipient selects their forwarders,
and is responsible if the forwarder is incompetent or spam friendly.
Regardless of SPF, allowing any joe to forward mail to your addresses
is problematic. So called "legitimate" sender forgeries should not
be accepted, unless the forger stops forging the MAIL FROM. (They
can still forge the 2822 headers, leaving the problem for layer 2 to
deal with.)
The need to validate the originating address arises from the belief
that forwarders are likely to be incompetent or malicious.
Is this belief justified? In the case of independent domains,
probably not. I think the problem comes with AOL and their ilk. Their
millions of users will have no clue on whether a forwarding service is legit.
Even if they did, it is difficult for AOL to check an individual
authorized forwarder list for every user. However, AOL *could* have its
own preauthorized list of forwarding services, and inform users that
only these forwarding services will work.
Any recipient that blindly relays or bounces any mail claiming to be
forwarded deserves to be blacklisted. Of course, without SPF they
have no way of knowing. And with SPF, the recipient needs one of these
to detect unauthorized forwards:
a) SRS in a recognized format
b) RSR or SUBMITTER
Note that SES/CBV and DBBF are incompatible in the sense that if a forwarder
implements DBBF only, there is no way to extract the originating domain
for SES/CBV.
So making SES with CBV (preferably via DNS) available as a tool for
the mail recipient is great. But ultimately, the sender is depending
on the vast majority of mail recipients in the world to behave responsibly.
If the recipients behave responsibly, the existing SPF+SRS set up is
adequate.
Unfortunately, the vast majority of systems that receive mail have clueless
sysadmins. It is often claimed that SES protects the sender from bounced
forgeries. This is only true if the recipient machine behaves responsibly by
rejecting mail it can't accept or sending DSN for mail it found a virus
in or whatever. What actually happens is that the the recipient machine sends
regular mail to the ostensible sender for every spam it receives, becoming a
relay for spam. Windows anti-virus software is the worst culprit.
So my point is that so far the focus has been on combatting evil/clueless
mail *senders*. I can't see at the moment how anything proposed
combats evil/clueless *recipients* who reply to all the spam they receive.
Blacklisting is problematic because there are far more Windoze users
than spammers. Content filtering works by learning to recognize these
bogus mail scanner replies. However, the goal of SPF IMHO is to reduce the
volume of spam that gets past DATA.
Even if we have the system in place to validate the original sender,
it doesn't stop the vast majority of forged bounces.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.