spf-discuss
[Top] [All Lists]

Re: Re: change of version string

2004-08-09 21:00:00
John -

unless one allows for checking SMTP mail from in the
absence of the Submitter extension.
...
* By not checking whether the SMTP mail from is properly
formed, and
By these you mean extract and verify the PRA from the 2822 headers?

Your concerns seem to hinge on the idea that implementors will not check the 2822 headers in the absence of SUBMITTER. Yet, the drafts clearly state that you have to check the 2822 headers for PRA, in either case. If SUBMITTER is present, and passes, then you sill have to extract PRA and check that it is the same. If SUBMITTER is absent, then you have to extract PRA and check that.

It is my belief that the working group agreement to advance these drafts is based on the idea that MTAs will do this work to extract PRA.

Mark, I understand your role is to translate the
instructions you received from the MARID WG into a draft
protocol for Sender-ID.
Well... I do think I had a little more input than that... :-)

My request was to ask you to review these instructions and
ascertain whether or not you could see your way clear to
dealing with a number of concerns.
I do agree with you that, if an MTA doesn't check the headers for PRA, then yes, there is a security hole. But this is because the MTA isn't compliant.

The only scenario that an MTA can skip the headers is if, SUBMITTER is present, and passes the check, and the receiving MTA finds the domain is on their white-list (or has some very high reputation score.) This isn't a security hole because a domain that a spammer can get past the SUBMITTER check (one they control) isn't going to be white-listed or have a high reputation score.

        - Mark