On Tue, Dec 07, 2004 at 10:40:31AM +0000, David Woodhouse wrote:
Why not? There are plenty of alternatives to SPF which don't have this
problem with forwarding, and which offer all the same benefits as SPF,
but without the need to change forwarding practice.
I mail you, you forward to you2, you2 forward to you3. You3 tries
to forward to you4 but fails. You3 will sent the bounce to me.
Why? Because you2 forged my address. I did WRITE the message but
I did not SEND it (from you2 to you3).
I already explained that I do not expect nor want a bounce from
you3. I may not even be able to communicate (for _whatever_ reason)
with you3.
Forwarding with spoofed addresses is broken, not SPF.
Why _can't_ the SPF position on forwarding just be "don't do it"?
It should (IMHO) be: "Don't do it the wrong way".
And IMHO there should be a statement "Forging addresses when forwarding
email is no longer an option. Some forwarders will have to change the
way they operate; this is outside the scope of SPF."
If you want to forward the message: Fine. No objection whatsoever.
Just don't forge addresses.
SPF does not want to change the way THE world works. SPF want to
change the habit of forging addresses and is indiscriminate to the
reason of this forgery. If this means that SPF is changing the
way YOUR world works, so be it.
Yes, I expect SPF to stop forgery. I don't care if this forgery
is due to SOBIG, Joe A. Spammer or David Woodhouse. Three quite
different reasons to do the same thing: forging addresses.
Alex