-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Meng
Weng Wong
Sent: Thursday, November 18, 2004 7:43 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: [spf-discuss] MAAWG Whitepaper released Nov 18
The Messaging Anti-Abuse Working Group http://www.maawg.org/
recently appointed me and a number of other people Senior
Technical Advisors.
After I accepted the position, they promptly told me to go
write a whitepaper. So over the past few weeks I've been
working on a document to help explain sender authentication
stuff to the technical community who haven't been following
MARID closely.
I've been giving out advance copies over the last little
while but now I think it's ready to be shared with the SPF
community at large.
The document will continue to evolve over the next few
weeks, so comments and suggestions are welcome. When you
write, please indicate what date is on the document, in the
same way bug reports say what version of software you're
running.
http://spf.pobox.com/whitepaper.pdf
It's best read on paper, so print it. And please feel free
to hand it out to any sysadmins you know.
cheers
Comment on Page 9:
The paper says, "SPF features a ?best-guess? technology which basically
says:..."
IIRC, this "feature" is not mentioned in any of the potentially current SPF
classic specs. I know it exists in the reference implementation, but if
it's not in the spec, then it probably shouldn't be mentioned as a feature.
Also from page 9:
"The author recommends that mua software implement Sender ID with pra
checking."
Does this mean that the author recommends that MUA software should not be
GPLed?
Still page 9:
"Sendmail has released experimental milters for Sender-ID that check both
the MAIL FROM (SPF Classic) and the PRA. Other commercial MTA vendors have
done the same. In the opensource MTA segment, however, SPF Classic is more
widely supported than PRA at this time."
This gives the false impression that SPF classic isn't implemented in
commercial MTAs. I don't believe that there are any MTAs (commercial or
open source) that implement PRA that don't also implement SPF. Also, it
should probably made clear that it was Sendmail, Inc. that released the
milter for PRA and not sendmail.org.
Recommend you change this to:
"Sendmail, Inc. has released experimental milters for Sender-ID that check
both the MAIL FROM (SPF Classic) and the PRA. Other commercial MTA vendors
have done the same. However, SPF Classic is more widely supported than PRA
at this time."
Page 17:
"ISPs should consider requiring user-submitted return-paths to match the
smtp auth username: this prevents cross-customer forgery and limits damage
to the affected user."
I would hope we could be more sophisticated than this. Could we instead
have something like:
"ISPs should require user-submitted return-paths to be identities authorized
for that user. This could be accomplished by requiring the return-path to
match the smtp auth username or through other ISP specific processes for
authorized external entities: this prevents cross-customer forgery and
limits damage to the affected user."
Scott Kitterman