spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Electronic Frontier Foundation (EFF) Article On Anti-Spam Technologies Mentions SPF

2004-11-19 11:10:46
from [Vivien M.] [Permanent Link] 
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com 
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of Guy
Sent: November 19, 2004 3:59 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] Electronic Frontier Foundation 
(EFF) Article On Anti-Spam Technologies Mentions SPF


I think you just refuse to understand.


I could say the same about you, but let's stay away from those types of
comments for now.  :)


The domain owner is setting the policy.  Your domain will not 
allow you to do what you want to do.  It is not your option.  
Who owns the domain?  Who "authorized" you?  The only way to 
"authorize" you is to fix the spf records.  Only the domain 
owner can do that.  And the domain owner is smart enough to 
NOT allow you to do that.  So, they did good.


That, right there, is the issue.

Dave, myself, and others (including, we speculate, most of the general
public out there) are defining 'authorized' as 'giving <some person> an
email account at <some domain>'. Thus, if I have a 
vivienm(_at_)somedomain(_dot_)net
address, I am implicitly authorized to use that address by that definition.
Given current technology, everybody else can pretty much use it too, but
hey...

Most others (including the SPF rationale, obviously) are defining authorized
as 'saying that <some IP> has been approved to send mail for <some domain>'

For some scenarios, those two definitions produce the same result. For some
other scenarios (off-network/roaming users, "send a <whatever> to your
friends", etc.), they don't. Basically, if the human being who was given
username(_at_)domain(_dot_)net is trying to send mail from an IP other than that
authorized by domain.net, they're in the grey area. They FEEL authorized
("hey, I have a piece of paper from domain.net saying 
username(_at_)domain(_dot_)net is
me, so what do you mean I'm not authorized?"), but your technological
authorization mechanism says they're forgers.

The question then becomes: how do you tell somebody who feels they are
authorized using the first definition that they can't do what they want
because of a technology using the second definition? And if that somebody is
your boss, how do convince them NOT to order you to remove your SPF
deployment?

Vivien
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  GOSSiP available on sourceforge.net, Mark C. Langston
Next by Date:  FW: Dynamic Senders List (aka SPF Whitelist), Brian Barrios
Previous by Thread:  OT -- Caller-Id forge -- was ... EFF ... Mentions SPF, Stephen Pollei
Next by Thread:  RE: Electronic Frontier Foundation (EFF) Article On Anti-Spam Technologies Mentions SPF, Stuart D. Gathman
Indexes:  [Date] [Thread] [Top] [All Lists]