On Thu, 10 Jun 2004, Seth Goodman wrote:
Note that SES/CBV and DBBF are incompatible in the sense that if
a forwarder
implements DBBF only, there is no way to extract the originating domain
for SES/CBV.
Yeah, I've been aware of that. A DBBF forger is virtually impossible to
detect, unless you have a whitelist of trusted forwarders. Perhaps you
should only accept DBBF forwards from a trusted forwarder list? I'm not
sure what a good answer is here.
...
If the recipients behave responsibly, the existing SPF+SRS set up is
adequate.
SPF+any rewriting scheme is still vulnerable to forged forwards from valid,
but disposable, forwarding domains. Unless the recipients implement an
authorized forwarder whitelist, they can't tell the difference.
Yes. My point was that IMHO responsible recipients use a forwarder
whitelist. After all, *they* selected the legit forwarders. *They*
should refuse to relay mail for self proclaimed forwarders they did
not in fact select. SPF gives them the means to determine which
mail is really from their authorized forwarders. SRS/RSR/DBBF gives
them the means to detect that mail is forwarded rather than direct.
SRS/RSR (but not DBBF) lets them discover the originating address
and possibly do CBV (preferrably via DNS).
Irresponsible recipients will continue to spew viruses to innocent third
parties disguised as DSN's until people get sick enough of it to start
If they were actually disquised as DSN's, I wouldn't have a problem. SES would
ignore them.
blacklisting them. I don't think anything else will get them to do
anything. They are clueless, not malicious, and they don't even know they
are contributing to the problem. They probably think their virus "warnings"
are a service to others.
Even if we have the system in place to validate the original sender,
it doesn't stop the vast majority of forged bounces.
Until we make it uncomfortable enough for the clueless who are responding to
forgeries with DSN's, that is certainly true. If these sites start to get
If they would actually respond with DSN's, they wouldn't need to bother
recognizing forgeries. SES would take care of it. I'm not asking them
to necessarily get with the SPF program. I am asking them to follow
basic RFC guidelines, and stop originating non-DSN mail to whoever some
spammer or virus tells them.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.