On Wed, 2004-09-15 at 10:03 -0500, Daniel Taylor wrote:
OK caffienated avenger to the rescue!
:)
SPF doesn't validate users, so SPF validation doesn't know or care
if the user is forged. The macro expansion combined with strict
mailer policies _does_ give some control there, but the recipient
has no way to tell if the server in question implements such
policies at all or effectively.
More simply put: validating the user in the first 2 examples
is beyond the scope of SPF.
In the second example. The first example is very different, but I'll
come back to that. But OK, we accept that SPF doesn't actually let you
validate the user reliably.
The shared hosting scenarios do illustrate a difficult example
of this as the hosting provider needs to have good controls
in place or customer cross-forging at the domain level becomes
possible.
As I said, an RFC1413 ident macro might help, but in practice most
people wouldn't use it anyway. Many people don't even run ident servers
nowadays.
It is not possible for the recipient to evaluate the
policies of the provider directly, so it is necessary for the
domain owner to do so and set their SPF record accordingly.
More simply put: if the domain owner trusts their provider
enough to publish + instead of ?, who am I to gainsay them?
If I get spam with their domain validated, it is their
reputation that will suffer.
So the best that 'hosteddomain.com' could do in that situation is to
publish a record with 'unknown' result for their primary mail box? That
is hardly an ideal situation, surely?
But those aren't the most interesting examples -- those are merely a
demonstration that an SPF 'pass' result is neither necessary nor
sufficient to know that a mail really did from from the person (or even
in many cases from anyone at the domain) from which it claims to come.
You only know that they have access to the mailserver in question, and
that that mailserver sometimes sends real mail for the domain.
Those were just a reminder that SPF is _not_ about end-to-end
authentication like GPG is. That's OK -- it doesn't claim to be,
although some people do seem to misunderstand that and need reminding
occasionally.
The example which really interests me is #1. Forgive me, I'll repeat it:
MAIL
FROM:<SRS0+xx+yy+example(_dot_)com+joeuser(_at_)pentafluge(_dot_)srs(_dot_)infradead(_dot_)org>
and
Received: from [2002:c1ed:8229:10:2c0:f0ff:fe31:e18] (helo=joeslaptop)
by pentafluge.infradead.org with esmtpsa id 1C7Ej2-0008II-SZ;
Tue, 14 Sep 2004 15:56:09 +0100
From: <joeuser(_at_)example(_dot_)com>
Now who can tell me if this really came from Joe or not?
--
dwmw2