-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Mark
Shewmaker
Sent: Thursday, September 23, 2004 10:21 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Re: Please Don't Reject SPF NEUTRAL
On Thu, 2004-09-23 at 21:36, Scott Kitterman wrote:
Right. But getting stuck on a RHSBL would be much worse. It wouldn't
matter what MSA you used. Your mail would still be blocked.
I am guessing that domain-based blocklists will over time migrate towards
some sort of aging algorithms, halflifes or other sorts of decays applied
to reports.
Note: Tried to edit this to match your follow-up message.
People will get into those lists incorrectly, so the lists will have to
have some sort of way for domains to get out of them--or fewer
recipients won't use them because of false positives.
For a RHSBL this is an even bigger deal for the sender since you can't just
jump to an alternate MTA. This makes it good for making spam more
expensive, but bad for anyone that gets caught up in the list by mistake. I
think people are going to have to be able to get off very quickly or they
will do what they have to do to avoid the false positive risk (e.g. take
down their SPF records).
People stayed away from SPEWS way back when for just such reasons, and
folks use spamhaus and other pretty-trustable RBLs because of their
accuracy and low false positives.
If an MSA submits spam, shouldn't they be the one that gets shut down.
They accepted the message for submission.
I want to live in a world in which I can go to an email service
provider, set up an account, be completely protected from cross-customer
forgeries of both MAILFROM and PRA types(*), and yet still be able to
send out emails via that ESP even if they also have unrepentant spammers
as other customers, without worrying about being blocked based on the
ESP's outgoing IP addresses.
This is one area where I think something like PRA could have helped people
in my situation ("vanity" domain stuck on shared MTA). I have
?include:verizon.net in my record and so anything coming from their MTAs
gets a MAILFROM NEUTRAL, but if they were to add a Verizon.net
SUBMITTER/SENDER on the way out the door, then PRA (or hopefully some
unencumbered equivalent) could get a PASS based on their record. This would
be a big win I think.
This would be one procedural approach to using multiple scopes to avoid the
risk of cross customer forgery without the challenges to the ISPs that would
come from regulating MAILFROM access.
I think this world can come about, as spf and similar techniques become
popular.
IMHO requiring ESP's to be forever responsible for the content-based
actions of their customers is pretty extreme. I accept it for now, as
spf isn't popular enough to transition from IP-based to domain- or
email-address based blocklists, but I hope this to be a temporary
situation.
I hope so too, but I worry that little domains like mine (sending dozens of
e-mails per day at most) will never be able to develop enough of a positive
reputation to survive in such a world.
I'd prefer ESPs to concentrate on technical excellence, leaving
spaminess judgements, especially grey-area judgements, to the
end-recipients and the reputation and accreditation organizations they
trust.
(*) Still writing up an email on what I think that means.
I'll be interested to read that. I'm very interested in the topic. The
last thing I want to have to do is go set up my own mail server to get an
SPF pass.
--
Mark Shewmaker
mark(_at_)primefactor(_dot_)com
Scott Kitterman