spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Sender ID in the news

2004-10-27 02:10:13
from [Seth Goodman] [Permanent Link] 
From: Chris Haynes
Sent: Wednesday, October 27, 2004 3:16 AM


 "Stuart D. Gathman" commented:



I would like to reiterate
my desire (which doesn't seem to be shared by anyone else so far)
that any RFC2822 checks are based on the validated the 2821 MAIL FROM.


I'm with you, FWIW. In a post a few days ago I declared my view
that any 2822 inspections / tests should take place only after a 'pass'
result from the 2821 MAIL-FROM test.  This was when we were discussing
the legality of transports inspecting 2822 contents. I did have an
additional requirement - that the sender had published a policy
component which implicitly gave the inspector authority to inspect the
DATA part.


Hey, I agree with both of you on this.  This is where SPF started and I
think it's still the right approach.  Authenticate the 2821 address first,
and then hope that the domain owner enforces submission rights and publishes
that fact to allow you to look for equivalence of 2821 and 2822 sender
addresses.  At least, that's what I think you're saying.  It wouldn't bother
me a bit if everyone decided that 2821 and 2822 sender always had to match,
but I know that's no longer possible.  It's awfully hard to put the genie
back in the bottle.

I still have a question for Chris.  As a forwarder, don't any of your
customers ask you to run SpamAssassin on their accounts?  What I'm getting
at is do you really need some kind of permission to inspect headers in an
automated fashion in order to detect forgery?  You're not recording anything
that is not a forgery, so in what way are you violating privacy?  The MTA is
scouring the headers for lack of a match to indicate forgery, but the
machine sees every byte on the way through anyway.  As long as no human sees
the content of any email not addressed to them and the machine doesn't
record anything about non-forgeries, has there been any violation?  Is this
like if a tree falls in the forest and no one is there to hear it ...

Forgive me if these are foolish questions, but I've never been in the
forwarding business so I've never had to think about it.

--

Seth Goodman
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [comment] Vote of confidence/no-confidence in Meng as SPF representative, Joe Thompson
Next by Date:  Re: RE: pushing people towards S/MIME and PGP, Tony Finch
Previous by Thread:  Re: Sender ID in the news, Chris Haynes
Next by Thread:  Re: Sender ID in the news, Chris Haynes
Indexes:  [Date] [Thread] [Top] [All Lists]