spf-discuss
[Top] [All Lists]

Re: Electronic Frontier Foundation (EFF) Article On Anti-Spam Technologies Mentions SPF

2004-11-18 11:49:20
On Thu, 18 Nov 2004 12:10:46 -0500, Theo Schlossnagle wrote:
  On Nov 18, 2004, at 11:59 AM, Dave Crocker wrote:
 >  As has happened to me several times over the last few weeks, I
 >  needed to use machines and networks that were not in my regular
 >  set. This meant using MTAs that were not in my regular set.
 >  Some were public kiosks and some were friend's pc's, where I set
 >  the rfc2822.From field to be my address.
 >
 >  All of the messages from those situations would be assessed an
 >  "unauthorized" and therefore would be falsely rejected.
 >
  That's not precisely true.  IF the owner of the domain that was
  present in your RFC2822 From address says that you can't do
  that... then you can't do that and isn't a false positive -- It's
  a painful policy.

I was not describing unauthorized usage.  I was describing spontaneous usage.

SPF essentially eliminates spontaneous scenarios, by virtue of requiring 
pre-registration.

It's a lot like saying that you cannot drop a postal letter into just any ol' 
mailbox, because you would need to pre-register it with the letter-carrier who 
will drop it in the delivery mail slot.


  Of course, if people published RFC2821 policies are suddenly
  interpreted in an RFC2822 context, then absolutely.  Maybe I
  missed the first part of this thread and that is what you are
  referring to as "SPF".

rfc2821.mailfrom is set by the rfc2822.sender.  so, mailfrom might appear in 
the envelope, but it represents the world of the author, not the world of the 
carrier (MTA) even though it registers mta information.



On Thu, 18 Nov 2004 19:00:24 +0100, jpinkerton wrote:
  If you choose to use your friends e-mail service to send your
  mails and spoof your own address - that's SPOOFING - and *exactly*

This nicely demonstrates the problem with mis-using important terminology.

The dictionary definition of 'spoof' is "a hoax".  The computer science use of 
the word is similar.

Certainly the scenarios I described were not hoaxes.  There was nothing false 
or misleading about the use.  They were authorized and they correctly 
identified the actual author (me).  


  what SPF tries to eliminate - it's an e-mail pretending to come
  from somewhere it doesn't - just like thousands of spam mails
  every minute.

There was nothing about the scenarios that involved pretending.  Merely 
spontaneous usage.


  You could persuade your friends to have spf records which would
  include your own domain of course, and that would make it work
  perfectly.

We're sitting in a meeting.  My friend is not a geek; they do not administer 
domain names.  

I need to send a message urgently.  It's really important.  I ask to send a 
message from their pc, and set the rfc2822.From field to be my actual email 
address.

Now, how is this scenario unreasonable and/or how can spf work "correctly" in 
this real-world situation.


  On the other hand - you could always use your considerable
  technical skills to set yourself up with your own smtp-auth on

And what about supporting the 999,000,000 users of the Internet who are not 
geeks?


d/
--
Dave Crocker
Brandenburg InternetWorking
+1.408.246.8253
dcrocker  a t ...
www.brandenburg.com


<Prev in Thread] Current Thread [Next in Thread>