spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Sendmail white paper

2004-11-22 12:03:21
from [Stephen Pollei] [Permanent Link] 
On Mon, 2004-11-22 at 05:23, David Woodhouse wrote:

"vouching" is a laden term. SPF vouches for nothing, except that a message
with an SPF "pass" is authorized to come from the connecting IP address.
It is not an endorsement of content.


The only way SPF is actually useful in the real world is if it's
accompanied by some kind of reputation system so that people can know
that mail from 'alwaysspams.com' is bad and mail from 'neverspams.com'
is good. Vouching for mail is precisely what you're doing.

Well I don't know if it's the only way it's useful. SPF by itself is
only suppose to be anti-forge not anti-spam or anti-phish; correct?
I do think that mailing lists are a focal point, and a good place to
maybe start deploying some of these other things as well.

Towards this end, I've been thinking about how you might be able to mix
spf/srs,  http://hashcash.org/, http://www.doaml.net/ , and
http://sourceforge.net/projects/gossip-project/ into
http://sourceforge.net/projects/mailman .

I think that if a mailing list checked for spf, valid hashcash, and a
decent reputation; then it could feel fairly OK about vouching for an
email it forwards automatically. Also if a MUA used doaml and knew it
was subscribed to a list it could be more forgiving to that list if it
accidentally let one slip, every once in awhile. 




All forwards are inherently risky, as you are 'relaying' mail which did
not originate from you.

Yes so you should try as hard as you can to mitigate those risks.


Compare and contrast with a real end-to-end system where the 'vouching'
is done by the original sender and remains intact through multiple hops.

I think the end-recipient's MUA is going to have to be more aware of
mailing lists and other forwarders anyway.

-- 
http://dmoz.org/profiles/pollei.html
http://sourceforge.net/users/stephen_pollei/
http://www.orkut.com/Profile.aspx?uid=2455954990164098214
http://stephen_pollei.home.comcast.net/
GPG Key fingerprint = EF6F 1486 EC27 B5E7 E6E1  3C01 910F 6BB5 4A7D 9677

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in Atlanta features 
SPF and Sender ID.
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

Attachment: signature.asc
Description: This is a digitally signed message part

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Electronic Frontier Foundation (EFF) Article On Anti-Spam Technologies Mentions SPF, Michael Hammer
Next by Date:  RE: Sendmail white paper, Mark
Previous by Thread:  RE: Sendmail white paper, David Woodhouse
Next by Thread:  RE: Sendmail white paper, Mark
Indexes:  [Date] [Thread] [Top] [All Lists]