spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: SPF-compliant phishing?

2004-09-16 19:19:39
from [Scott Kitterman] [Permanent Link] 
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Stuart 
D. Gathman
Sent: Thursday, September 16, 2004 8:10 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] SPF-compliant phishing?


On Thu, 16 Sep 2004, Scott Kitterman wrote:


Until you (meaning all of us) attack the cross customer forgery

problem on

shared MTAs, those of us who want to outsource SMTP services

are out of luck getting to pass.

I asked for this at dnsmadeeasy.com - they said there was "no demand".
If more people asked for this from their sales support, (and other
venders as well), they might begin to get the message.  If you have
any pointers to evidence of demand for return path validation, I
would be happy to pass them along as their customer.  (I currently use
my company's MTA.)


I have asked at my domain host.  Even had a newsgroup dialogue with the
president of the company (how about that, a netcraft top 50 web hosting
company where the president still reads the news groups regularly).  I'm in
the process of switching DSL providers and once that's done, I'll ask there
too.

What I would REALLY like is for somewhere in the spec for it to explicitly
say that it is the responsiblity of shared MTA providers to put in place
technical measures to prospectively prevent cross-customer mail-from
forgery.  I say prospective because saying they'll cancel the account
doesn't get my e-mail delivered if I get stuck on a RHSBL because of it.

What I would ask one of these companies now is, do you want to be a market
leader or a market follower.  In a world with no SPF, cross-customer forgery
wasn't a problem because those forgeries didn't look any more or less forged
than anything else.  With SPF it's a different ballgame.  No, no market
today (or very small), but what will it be in a few years when an SPF PASS
becomes essentially mandatory to participate in e-mail.  Get in there first
and market it as a competitive advantage.  There aren't many of those in
what is largely a commodity market.

Scott Kitterman
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Patent Application 683624, Meng Weng Wong
Next by Date:  RE: call for volunteers: need someone to write a stunt DNS server, Scott Kitterman
Previous by Thread:  RE: SPF-compliant phishing?, Stuart D. Gathman
Next by Thread:  RE: SPF-compliant phishing?, Tony Finch
Indexes:  [Date] [Thread] [Top] [All Lists]