-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of
Vivien M.
Sent: donderdag 18 november 2004 23:14
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] Electronic Frontier Foundation
(EFF) Article On Anti-Spam Technologies Mentions SPF
In short, you did precisely what SPF is supposed to prevent:
domain spoofing in MAIL FROM (assuming your friend's relay
did not rewrite your envelope-from to a 'local' SRS domain).
And SPF caught you doing it. Rejoice! This is what you wanted
(according to your published policy).
And, once again, all of the pro-SPF advocates are absolutely
ignoring the key point here, which I made repeatedly about a
year ago and, given that it would be easier to convince the nearest
brick wall about this than the members of this list, I eventually
shut up about :)
What you're saying works very well, for a SMALL domain where
the person needing to 'spoof' controls the SPF record and/or the mail
servers listed in it. That's great, put ?all, include the other
places you may go to (e.g. your employer, relatives, educational
institutions, whatever) and send mail, and go on with life.
The problem comes when you're dealing with large
organizations where some IT department (or ISP helpdesk) sets a -all
policy, and you're too far down on the organizational hierarchy to do
anything about it. (If you're the CEO, you can call up the IT manager
and be like "WTF is this SPF crap that prevented me from sending email
from the golf course?!?!? I WANT IT GONE NOW")
The larger the ISP, the easier it will be for them to implement something
like SMTP AUTH. Only on a SMALL domain might this not be worth the pain;
but a large ISP cannot afford to publish "-all", and then offer no way for
its employees to connect to their mail server from a remote location.
Those individuals are constrained to using their email
addresses in the way that this IT department or ISP wanted their
domain to be used. The blindly pro-SPF crowd with whom I (and others)
argued last year will say "Tough luck, you little spoofing SOB,
you're using their domain, you play by their rules".
Being in the pro-SPF crowd (not necessarily blind, I hope), I would
instead tell the employer: "If you want your employees to use your domain,
from a remote location, then provide a means for them to connect to your
relay." Or I'd tell them not to publish "-all" then. Their choice. At no
point, however, would I badger the employee about it. :)
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx