-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Frank
Ellermann
Sent: Saturday, September 18, 2004 4:54 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: [spf-discuss] Re: Please Don't Reject SPF NEUTRAL
Scott Kitterman wrote:
'+' essentially says I guarantee it's not a forgery and if
it's spam, feel free to punish me.
While I agree with most of what you've said this is NOT TRUE.
'+' says "my mail may be sent with the implied IP(s)", but it
doesn't say "any mail sent with the implied IP(s) and claiming
to be sent from me is no forgery".
I know that this is your personal interpretation, but it's not
in the specs. Otherwise something like "+all" would be an
obvious lie. But "+all" is no lie, it's only stupid. It does
not guarantee "no forgery".
You are correct. I was writing too quickly and casually.
If you say that "+" implies "feel free to punish me if it's
spam", then where's the problem ? Either your mail provider
fixes this problem very fast, or it's a spam-friendly provider
allowing his users to forge your MAIL FROM. And in the latter
case you would leave this criminal organization a.s.a.p., and
don't waste your time with modifying "+" into "?".
My concern is not so much with today, but once RHSBLs get going, the risk
becomes much greater. While the ISP might fix the problem very quickly and
cancel the other guy's account, I may be stuck on a RHSBL and until I fix
that, my e-mail can't be delivered.
What does and SPF PASS really buy me? I don't think that anyone is likely
to do reduced filtering on stuff the gets a PASS. In SpamAssassin 3.0 it
gets me a .1 change in the score in the direction of HAM (a trivial change,
for those not familiar with Spamassassin).
Why take the risk of getting my domain blacklisted.
The major point of SPF (for me anyway) is the -all that says that the rest
of the internet are NOT permitted senders.
SMTP AUTH really has nothing to do with it.
Probably Jonathan was talking about RfC 2476 resp. 2476bis,
<http://www.ietf.org/internet-drafts/draft-gellens-submit-bis-00.txt>
[6.1, another case of "MAY-be not", sigh]
| The MSA MAY issue an error response to the MAIL FROM command
| if the address in MAIL FROM appears to have insufficient
| submission rights, or is not authorized with the
| authentication used (if the session has been authenticated).
Together with 8.1 there are too many "MAY-be not" in 2476bis,
let's hope that the authors either fix it, or drop this draft.
Someday rejecting NEUTRAL may be fine.
That won't happen in our lifetime, therefore I don't worry.
Yeah, I agree. I shouldn't have written that either.
Bye, Frank
Scott Kitterman