RE: Electronic Frontier Foundation (EFF) Article On Anti-Spam Technologi

--"Vivien M." <vivienm(_at_)dyndns(_dot_)org> wrote:

> > In short, you did precisely what SPF is supposed to prevent:
> > domain spoofing in MAIL FROM (assuming your friend's relay
> > did not rewrite your envelope-from to a 'local' SRS domain).
> > And SPF caught you doing it. Rejoice! This is what you wanted
> > (according to your published policy).
> And, once again, all of the pro-SPF advocates are absolutely ignoring the
> key point here, which I made repeatedly about a year ago and, given that
> it would be easier to convince the nearest brick wall about this than the
> members of this list, I eventually shut up about :)

I don't think people are intentionally misrepresenting SPF or intentionally 
ignoring its limitiations and tradeoffs.  These are hard problems and they 
require creative solutions.  If you feel you have been persecuted or made 
to feel like your concerns are insubstantial, then I apologize on behalf of 
everyone here.

> What you're saying works very well, for a SMALL domain where the person
> needing to 'spoof' controls the SPF record and/or the mail servers listed
> in it. That's great, put ?all, include the other places you may go to
> (e.g. your employer, relatives, educational institutions, whatever) and
> send mail, and go on with life.
>
> The problem comes when you're dealing with large organizations where some
> IT department (or ISP helpdesk) sets a -all policy, and you're too far
> down on the organizational hierarchy to do anything about it. (If you're
> the CEO, you can call up the IT manager and be like "WTF is this SPF crap
> that prevented me from sending email from the golf course?!?!? I WANT IT
> GONE NOW")

I think it's been said before, but such an IT organization would be 
irresponsible and recklessly incompetent.  Not saying that's impossible -- 
of course there are IT organizations that don't do their jobs.  They would 
be guilty of not doing their jobs correctly if they restricted you from 
sending and then didn't give you a way to send stuff that is supported. 
But then I have seen IT departments who won't give you any help with your 
mail program if you aren't running Windows, even if you only have one 
computer on your desk and are required to run Unix for your job.
Thus you enter a cycle of limited choices, people raising a stink, and IT 
reacting to it by making more alternatives available.  Does it excuse bad 
behavior on the part of irresponsible IT departments?  No.  Will it happen 
anyway?  Yes.  Will we eventually solve it and get everything working 
again?  Sure we will.
On the ISP side, the change will be even faster.  They are not a cost 
center and they DO respond to features offered by their competition.  Those 
who support SPF well will go through some initial pain, and then enjoy a 
brief period where they have a feature advantage, lower abuse cost or both.

> Those individuals are constrained to using their email addresses in the
> way that this IT department or ISP wanted their domain to be used. The
> blindly pro-SPF crowd with whom I (and others) argued last year will say
> "Tough luck, you little spoofing SOB, you're using their domain, you play
> by their rules". But there are SO many 'grey' areas where people,
> especially those without the technical background to understand the
> spoofing issues, will be hampered by this:
> - the gazillion "send a <whatever> to your friend" web sites
> - Mr. Crocker's scenario (aka "set up your IMAP account on some random
> machine to send a few msgs and whoever hosts the account doesn't provide
> SMTP AUTH")
> - anybody else without SMTP AUTH accessibility to their domain (e.g.
> people working at home for an organization not providing SMTP AUTH,
> people roaming using a different ISP from theirs that doesn't provide
> SMTP AUTH, etc)

Please understand that nobody here is trying to dismiss your concern as 
unimportant.  There will definitely be cases where people set up SPF 
without providing SMTP AUTH or other mobile/spontaneous sending method.  I 
don't think any SPF supporter is suggesting that they do it, or saying that 
it's all right, but some incompetent IT folks and perhaps one or two ISPs 
will probably do it.  They will suffer a backlash as people demand their 
SMTP AUTH or removal of the SPF record, or get their own domains or 
whatever.

> Those are things that work today, and those are things that the average
> people on the street (aka, the people on whom at least some people on this
> list depend for their paycheck) expect to continue working. They won't
> understand that the greeting card from Aunt Mary who works at blah.edu
> can't be showing up as being from AuntMary(_at_)blah(_dot_)edu anymore (if 
> you're
> doing RFC 2822 checking) because there's a bigger spoofing problem to be
> solved. Etc.
>
> Yet, everybody on this list who will defend SPF to the death continues to
> dismiss this as "they're spoofing and need to change their ways. The SPF
> train must go on". It's not that simple in the real world, especially if
> you're a third party. (E.g. you helped Aunt Mary use her blah.edu email
> from home using joeisp.net years ago, and now blah.edu publishes -all and
> Aunt Mary yells at you when her email becomes broken. What do you tell
> her if blah.edu doesn't provide an off-campus SMTP AUTH service and Aunt
> Mary isn't high ranking enough to make the IT dept set one up?)

If I disagree with you as to the scale of the problem, don't assume I am 
dismissing you.  It's really easy to disagree over matters of scale, 
especially when broad, non-specific terms or even generalizations are used. 
I think what you are suggesting as the worst-case scenario will probably 
happen here and there but will not be enough to drive people away from SPF 
in any meaningful numbers.
In other words, people implementing SPF badly and causing problems for 
others is not only possible, I believe it's unavoidable.  We should ALL do 
our best to provide good training and good common-sense for others wanting 
to implement SPF and not screw it up.
What we should NOT do is give up on SPF and tell everybody "It's Hopeless". 
It sounds like that is what you are suggesting... or am I misunderstanding 
you?
Do you have an alternative idea, other than "SPF is fundamentally flawed 
and we should drop it"?  Something constructive perhaps?  If I read you 
right, you are complaining that everyone supporting SPF has dismissed your 
concern as unimportant.  Yet, ironically, you are doing exactly what you 
don't want others to do -- you are dismissing SPF itself as fundamentally 
flawed, and there's no help for it, and anyone supporting SPF is a 
crackpot/extremist.  It's actually kind of funny when you think about it.

Be well,
gregc
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>