spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: SPF and Responsibility

2004-07-21 11:52:21
from [terry] [Permanent Link] 
See below...

-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Daniel 
Taylor
Sent: Wednesday, July 21, 2004 2:10 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] SPF and Responsibility


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michel Bouissou wrote:
| Le mercredi 21 Juillet 2004 19:17, Jonathan Gardner a écrit :
|
|>>Nowhere does it say that any SPF "pass" result means that
the sending
|>>domain accepts responsibility for email in a complete and
legally-binding
|>>way. In fact I would go as far as to wager that if it did
say something
|>>like that then the number of domains publishing SPF would shrink
|>>significantly and the technology would never actually take off.
|>
|>Here again, it supports my argument. If I permit email to
be sent in my
|>name, I am claiming responsibility for it.
|
|
| Nope.
|
| "SPF pass" doesn't mean in any way "All the mail coming from that
server and
| claiming to be from me is actually from me".
|
On the contrary, that is _exactly_ what it means.
If you cannot make that statement with the same level of confidence
that you can "material published on my website actually comes
from me",
then you shouldn't use +serverIdentifier.



Consider BIGISP.com, they have 1 mail server mail.bigisp.com

Little company abc.com buys a DSL account from bigisp.com, and they setup their 
email to relay
through mail.bigisp.com, and abc.com's spf record indicates mail.bigisp.com is 
the only mail server
abc.com email comes from.

Little company spammer.com buys a DSL account from bigisp.com.  He knows that 
abc.com is also using
mail.bigisp.com by examining abc.com's spf record (that's why he bought the DSL 
account from
bigisp.com).  Now he sends a spam, faking the from address as 
whatever(_at_)abc(_dot_)com targeting
victim(_at_)spamtarget(_dot_)com

If mail.spamtarget.com has SPF installed on his mail server, does he have any 
SPF way of rejecting
those emails, because, after all they appear to be coming from the correct mail 
server for the
domain abc.com

My knowledge of SPF says no (please correct me if I am wrong).

If I am correct, then even an SPF pass does not prove the email to be 
legitimate or from the owner
of the domain.

Terry Fielder
terry(_at_)ashtonwoodshomes(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SPF and Responsibility, Michel Bouissou
Next by Date:  Broken SPF implementations among this list's subscribers ?, Michel Bouissou
Previous by Thread:  Re: SPF and Responsibility, Daniel Taylor
Next by Thread:  Re: SPF and Responsibility, Daniel Taylor
Indexes:  [Date] [Thread] [Top] [All Lists]