Hi,
Looking through the archives I see a lot of references to using spf to stop
phishing, and this seems to be one of the major stumbling blocks of
progress.
I would propose that rather than trying to fly to the moon on our first RFC,
it becomes a two stage process.
SPF1 (classic or whatever) defines validation of HELO and MAILFROM (which it
seems to do quite well)
And
SPF2 addresses validation of sender (which personally I don't actually
believe is possible by an MTA unless it has direct control over the source
of the message).
Once all domains are validated (and that requires removal of ?all and ~all)
then it becomes fairly simple to stop spam. A spammer can only spam if they
are anonymous. Once they have to use their real domain it becomes fairly
simple to stop them by using an RBL type list.
To address phishing we need to educate people. Would you expect a member of
the public to receive a letter saying "Please enter all your bank account
details in the attached form and send it back in the supplied envelope".
Never trust any message that is not digitally signed or even encrypted.
This is a design problem in MUA's not MTA's. Why?
When I get a signed message my mail client says
"This message has been signed by XXXX and has not been modified".
What it should be doing is saying for every other message I open
"This message has not been signed and cannot be trusted"
This would have the effect of making all the banks sign their messages. In
fact we would all have to sign our messages if we wanted them to be trusted.
Regards
Richard Bang
Floosietek Ltd
richard(_at_)ftgate(_dot_)com
http://www.floosietek.com