spf-discuss
[Top] [All Lists]

Re: Electronic Frontier Foundation (EFF) Article On Anti-Spam Technologies Mentions SPF

2004-11-18 12:11:49
On Thu, 18 Nov 2004 10:49:20 -0800, Dave Crocker <dhc(_at_)dcrocker(_dot_)net> 
wrote:
 
I was not describing unauthorized usage.  I was describing spontaneous usage.

SPF essentially eliminates spontaneous scenarios, by virtue of requiring 
pre-registration.

It's a lot like saying that you cannot drop a postal letter into just any ol' 
mailbox, because you would need to pre-register it with the letter-carrier 
who will drop it in the delivery mail slot.


rfc2821.mailfrom is set by the rfc2822.sender.  so, mailfrom might appear in 
the envelope, but it represents the world of the author, not the world of the 
carrier (MTA) even though it registers mta information.



The dictionary definition of 'spoof' is "a hoax".  The computer science use 
of the word is similar.

Word History: We are indebted to a British comedian for the word
spoof. Sometime in the 19th century Arthur Roberts (1852-1933)
invented a game called Spoof, which involved trickery and nonsense.
The first recorded reference to the game in 1884 refers to its
revival. It was not long before the word spoof took on the general
sense "nonsense, trickery," first recorded in 1889. The verb spoof is
first recorded in 1889 as well, in the sense "to deceive." These
senses are now less widely used than the noun sense "a light parody or
satirical imitation," first recorded in 1958, and the verb sense "to
satirize gently," first recorded in 1927.


Certainly the scenarios I described were not hoaxes.  There was nothing false 
or misleading about the use.  They were authorized and they correctly 
identified the actual author (me).


There was nothing about the scenarios that involved pretending.  Merely 
spontaneous usage.

Au contrare.... you were pretending to be sending mail from a domain
that did not authorize the sending of email from where you were at.

We're sitting in a meeting.  My friend is not a geek; they do not administer 
domain names.

I need to send a message urgently.  It's really important.  I ask to send a 
message from their pc, and set the rfc2822.From field to be my actual email 
address.

Now, how is this scenario unreasonable and/or how can spf work "correctly" in 
this real-world situation.

I don't know. SMTP auth, webmail, a crackberry.... I'm sure I could
think of a couple other approaches if I put my mind to it. It's only
unreasonable if YOU weren't responsible for setting your own policy,
choosing your own provider, etc.

I would argue that spf worked absolutely correctly. Your thesis runs
something like this..... I choose to use a hammer for driving in a
screw. I know that hammers are used to drive nails and not screws. I
get upset because the screw falls out because I used a hammer instead
of a screwdriver. Go figure. (This is intended in good nature...I hope
it is taken that way).

SPF does one thing and one thing only. If you choose to use that tool
or choose to use a provider that uses that tool then you should try
and use the tool the way that it was intended.

Mike


<Prev in Thread] Current Thread [Next in Thread>