-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tuesday 20 July 2004 02:45 am, Paul Howarth wrote:
My answers to your questions would be exactly the same if you completely
removed all mentions of SPF. Mail from SometimesSpams would not be
welcome at my server.
That doesn't make any sense. A large part of my assertions relied on the
fact that mail sent from the domains AND had an SPF PASS result. Without
that, they are all meaningless.
Please answer the questions one by one so I can see where you take issue
with my train of thought.
Now the SPF pass results would be strong evidence that I would use to
convince myself that SometimesSpams were in fact responsible for the spam
sent in their name, just like links back to/embedded images from their
website in the spam emails would be be strong evidence.
Strong evidence, but not damning evidence?
Let's compare these three scenarios.
(1) You receive an email from a server and that email claims to be from
WontPublish.com. However, you can't find any SPF records for
WontPublish.com, and so can't verify whether the message is being sent
through an approved server.
(2) You receive an email from a server that claims to be from
DoesPublish.com. The SPF record shows that the server is not allowed to
send email for DoesPublish.com. (SPF FAIL)
(3) You receive an email from a server that claims to be from
DoesPublish.com. The SPF record shows that the server is allowed to send
email for DoesPublish.com. (SPF PASS)
Will you treat these emails differently, or all the same?
Now consider the three cases above, and subsequent testing or examination
reveals that the email is obviously spam or a virus or fraud. Will you hold
the claimed domain name responsibile, or in other words, the owner of the
domain name?
The point you originally made that I (still) take issue with is:
"When an email is sent using the domain name of an SPF publisher, you
can compare the server sending the mail and the published sending
policy of the sender. If it doesn't match, then the message is obviously
forged and can be discarded. If it does match, then the owner of the
domain has said that email coming from that server is email coming from
him. He has claimed responsibility."
Publishing an SPF record from a domain indicates where mail from that
domain may legitimately originate. That is the purpose of SPF. That is
*not* the same as saying that *any* mail from that source using that
domain is legitimate and that the sending domain is claiming
responsibility for it. SPF is not equivalent to a DNA test for spammers.
It is more akin to a witness line-up. It is evidence, but not strong
enough to merit a conviction unless corroborated.
Suppose I tell you, personally, "Paul, I own jonathangardner.net. If you get
email from anybody but my home server at 66.92.192.241 that claims to be
from me, I want you to throw it away." If you received email from some
other IP address claiming to be from jonathangardner.net, would you treat
it as if it came from me? Would you send bounces to me for that message?
Would you call me up and tell me to stop sending you spam if it were spam?
Suppose I tell you, "Paul, I own jonathangardner.net and any mail that comes
from 66.92.192.241 that claims to be from me is email from me." Suppose you
received spam from 66.92.192.241 that claimed to be from me. Would you say
to yourself, "Man, that jonathangardner.net guy is an idiot. I better
filter on his email." Or would you say, "That Jonathan guy is a liar."
Remember that the original thread was entitled "SPF is not usable as
legal measure against spammers." The standard of proof required in a
legal case is considerably higher than one would apply to one's mail
server filters I'd expect.
This is the line of reasoning, and I have yet to see anyone even attempt to
refute it. So far, people offer up explanations on why DNS or IP addresses
or individual computers cannot be secured or protected or trusted. But that
is all irrelevant. I am talking about responsibility.
If I tell you that email coming from a server in my name is my email, am I
responsible for that email?
If I send you the vilest pieces of mail, such as the recent Nigerian death
threat email from that server, in my name, wouldn't you hold me
accountable? Wouldn't you call the FBI or CIA and tell them I am
cooperating with the Nigerian crime ring?
How could I possibly claim no responsibility? I know that I could probably
say, "I was hacked, it wasn't me." but then the burden of proof is on me to
show it.
- --
Jonathan M. Gardner
Mass Mail Systems Developer, Amazon.com
jonagard(_at_)amazon(_dot_)com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFA/XwEBFeYcclU5Q0RAimGAKC7z6tzhc6WlzPL3ejIht30VwOjRACfdvug
BFU0xi/vh0oQdjoiH5m18EE=
=jnUX
-----END PGP SIGNATURE-----