-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Dave
Crocker
Sent: Wednesday, September 22, 2004 10:09 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Is SPF Authenication or Authorization?
On Wed, 22 Sep 2004 21:51:26 GMT, Mark wrote:
There is no reason to exaggerate this "spoofing", though, as the
extent is only local. Simply put: only users on your system can set
their address to another user of that system (or likely an non-
existing, local user even), as
well, as long as the threat is limited to the few (1?, 10? 70?) millions
of users that share my ISP's MTA, I guess that's ok.
d/
--
Which is why if one is using a shared MTA that does not have technical
restrictions to prevent cross-customer forgery I maintain you don't want to
give that SMTP server a PASS in your SPF record. It would be better to
precede the mechanism for the server with "?" so that it gives a NEUTRAL
result.
Scott Kitterman