On Tue, 2004-11-23 at 11:08 -0600, wayne wrote:
If you are sending email to someone you have 'volunteered' without
their consent, that would be called "spam" by most people. If you
have their consent, then the receiver has established the forwarding
relationship, even if they aren't the ones flipping the bits.
'most people' perhaps -- but obviously I'd only do it if I expect that
the recipient wouldn't object. It'd need to be someone who already had
the password (and whom I trusted with said password) of course.
It's like replying in public to a private mail. You don't generally do
it but occasionally it makes sense and you do it _IF_ you think the
other party won't mind.
But whether the _user_ consents to the request "do you mind moderating
the lists while I'm away?" or not, that has very little to do with the
admins at their ISP.
CSV doesn't do what SPF does. ABBS/SES/BATV with call backs can, but
call backs are more expensive than SPF checks. SES, used in
conjunction with SPF records and the exists: mechanism looks
promising, but then, that's still using SPF.
SES also works without SPF. With SMTP callbacks, and there are other
less heavyweight lookup mechanisms being worked on. One of which is in
DNS so as to be compatible with SPF 'exists:'. Using SPF purely as an
optimisation, to avoid the check if it's coming directly from a host
which is actually operated and entirely controlled and trusted by the
domain owner, is indeed a cute idea. But it's just an optimisation.
Because of SRS, in practice CSV _does_ do what SPF does. When any
machine can pretend to have done SRS, and send you a mail from
SRS0+x+y+whitehouse(_dot_)gov+dubya(_at_)theirdomain(_dot_)com, you have to
realise that
SPF doesn't actually give you end-to-end protection of email addresses;
it only really lets you make a decision about how much you trust the
individual mail server which gave you the mail. It's a hop-by-hop method
just as CSV is. It's just that CSV is up-front about it, and you
actually have to understand it all fully to realise that SPF is just the
same.
Obviously you can look at the headers if you have a modicum of clue, and
realise that the above probably wasn't _actually_ sent by
dubya(_at_)whitehouse(_dot_)gov(_dot_) But by the time you're looking at the
headers it's
too late -- and there's plenty of other information in there which will
lead you to the same conclusion.
--
dwmw2