spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Re: New ideas for RFC2822 headers checking with SPF

2004-10-23 15:10:44
from [Seth Goodman] [Permanent Link] 
From: Chris Haynes
Sent: Saturday, October 23, 2004 3:59 PM


 Frank Ellermann expressed the concern:


Seth Goodman wrote:


In fact if someone is offering me a message, why should I
exclude myself from scrutinizing anything in that message
before deciding to accept it?


You are of course free to do with your mail whatever you like.
It's less simple if you are processing mail for 3rd parties
(= your users), because then you can't do whatever you want
without prior consent.  Hector often cited some of the legal
aspects here.  E.g. GMail might be illegal where I live, and
maybe also in California.
...


Are we still talking about using William's Record modifier which
says something to the effect 'my 2821 MAIL_FROM should be from
the same domain as (or identical to?) my 2822 FROM' ?


Yes.



I argue that the presence of that modifier in the sender's SPF policy
constitutes the sender giving a carrier (MTA-operator) the _authority_ to
inspect at least that part of the message.


True.  It would be impossible for anyone to verify that their requirement is
met without inspecting the headers, so the permission does seem to be
implicit.




So as long as one first validates the MAIL-FROM and gets an SPF
'pass' and if the modifier is present, the sender can be taken to
have given permission/consent  for the message's FROM header to be
inspected.


OTOH, if the MAIL FROM: does not validate, you are looking at a fraudulently
addressed email, and you can then examine it as a spam sample to find the
source of the network abuse.  You do have the right to protect your
facilities from abusive traffic.



We should write this as an explicit part of the I-D/RFC:

 "By using this modifier in a published record, the sender gives
permission for intermediaries to locate and inspect the related
content header from within the message, and to make consequent
decisions on the disposition of the message".


Not a bad idea.  The Yahoo folks didn't seem to find this necessary for
their DomainKeys I-D, which requires not only reading the headers, but the
entire message body as well.




That should give some degree of legal protection (the usual IANAL caviat
applies).


IANAL nor a forwarder, but just out of curiosity, don't forwarders do _some_
inspection of message headers passing through?  For example, do you accept
and forward a message with no message-ID?




If the sender does not agree to having the message examined, then
she should not include that modifier in her policy.


Right again.

--

Seth Goodman
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Re: New ideas for RFC2822 headers checking with SPF, Seth Goodman
Next by Date:  RE: New ideas for RFC2822 headers checking with SPF, Seth Goodman
Previous by Thread:  Re: Re: New ideas for RFC2822 headers checking with SPF, Chris Haynes
Next by Thread:  Re: New ideas for RFC2822 headers checking with SPF, Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]