On Thu, 18 Nov 2004, Vivien M. wrote:
As far as SPF is concerned, both my semi-legitimately forged mail and fully
forged mail are viewed in the same way. For Aunt Mary, there's a huge
Aunt Mary should be using SMTP AUTH - problem solved. It is already supported
by all major email clients. Or see below.
difference. Same thing with people using the "send <articles/greeting
cards/invitations/etc" features on most "mainstream" (where mainsteam means
targetting an audience with significantly different demographics from, say,
this list) web sites. SPF kills those. Is there a solution that lets you
Such websites need only provide a correct MAIL FROM - and everything is
fine. Many of them do. A simple solution is to use SRS on the user
provided MAIL FROM. Any bounces go to the web site and are immediately
relayed back to the user. The hash cookie in SRS prevents abuse of the
relay from being useful to spammers. (A captured SRS cookie can
be used to annoy one person - but not to reach a wide audience.)
Many of the greeting sites with a clue use SRS with an opaque token
for the MAIL FROM.
work but was not officially supported (e.g. organization doesn't block port
110 from outside, people set up machines at home to POP3 and send using the
ISP SMTP... that form of semi-legitimately forged mail doesn't require
official support from the IT department, but the deployment of an SMTP AUTH
alternative does).
If the IT department doesn't care about their domain getting forged,
all they have to do is publish "v=spf1 ... ?all" - or else don't publish
anything at all as if they never heard of SPF. There, that tells the world
they don't care about getting forged, and they won't get blocked by SPF.
Unlike M$s evil opt-out scheme for PRA, SPF is completely opt-in.
Another solution for the IT department that doesn't want to mess with
SMTP AUTH. My family domain looks like this:
gathman.org text "v=spf1 mx:bmsi.com ?ptr:cox.net ?include:earthlink.net -all"
Some family members are on Cox or Earthlink, and send family mail via their
ISP. At least listing the ISPs allows forged spam from only those ISPs.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.