-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of
jpinkerton
Sent: November 18, 2004 5:34 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Electronic Frontier Foundation
(EFF) Article On Anti-Spam Technologies Mentions SPF
Surely an organisation which is big enough and sufficiently
aware to publish SPF records, could easily set up an
SMTP-AUTH facility for it's people. Either that or a simple
web-based mail system - even *I* have built a simple one of
those - dead easy.
You appear to be speaking from some experience of this
problem, but it has to be borne in mind that the problem for
the world is forged mailfrom: , that being a large amount of spam.
Given that mail nowadays has to *prove* that it is *not*
spam, I think there's going to be a lot of changes in the
modus operandii of such organisations as you describe.
If the IT manager is unable to cope with this - maybe he
needs shouting at
;-)
Web-based mail systems tend to be common, yes (to my great chagrin, as I
happen to loathe such things when there are far more elegant alternatives
like IMAP out there), but again, that doesn't answer one of the issues.
Namely, how do you tell Aunt Mary (in my previous example) that her
POP3-based setup that has let her send mail from home using her work From:
address can't be used anymore?
I'm not discounting that there is a problem with forged mail from, but I'm
saying that there is also a problem with semi-legitimately forged mail from
that things like SPF can't separate from fully forged mail.
The test for "semi-legitimately forged mail" (okay, so I'm not great at
coming up with names for concepts) should be something like "mail that is
sent by or on direct behalf of the human being entitled to use that From:
address outside of the setting allowed by the domain owner's SPF record".
"Fully forged mail" would be mail sent by someone who knows, or ought to
know, that they have no right to use that address.
As far as SPF is concerned, both my semi-legitimately forged mail and fully
forged mail are viewed in the same way. For Aunt Mary, there's a huge
difference. Same thing with people using the "send <articles/greeting
cards/invitations/etc" features on most "mainstream" (where mainsteam means
targetting an audience with significantly different demographics from, say,
this list) web sites. SPF kills those. Is there a solution that lets you
separate the two? Perhaps not, I'll grant you that. Some of these things can
be re-engineered (e.g. greeting card sites can send from
AuntMary+blah-edu(_at_)egreetings(_dot_)com or something, which will look ugly,
but
will work) with a certain cost. Others can't unless the domain owner decides
to invest money/resources into officially supporting a scenario that used to
work but was not officially supported (e.g. organization doesn't block port
110 from outside, people set up machines at home to POP3 and send using the
ISP SMTP... that form of semi-legitimately forged mail doesn't require
official support from the IT department, but the deployment of an SMTP AUTH
alternative does).
And yes, I agree with shouting at the IT managers if necessary :) The
problem is, in a large organization, there's going to be a big bureaucracy.
Is the IT manager (who, like most IT managers, probably doesn't have enough
staff and funding) going to allocate money/time/staff to implement SMTP AUTH
because someone at the bottom of the organizational flow chart complained?
Doubtful. So then, basically, the only hope is for the CEO to send
semi-legitimately forged mail and encounter this issue him/herself.
Vivien