spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Re: RFC 2821 and responsibility for forwarding

2004-12-07 10:46:02
from [terry] [Permanent Link] 
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of David 
Woodhouse
Sent: Tuesday, December 07, 2004 4:56 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] Re: RFC 2821 and responsibility for
forwarding


On Mon, 2004-12-06 at 12:57 -0500, terry(_at_)ashtonwoodshomes(_dot_)com 
wrote:

The problem is, how do you distinguish an email that was

*actually* forwarded from one that is

*pretended* to be forwarded (by fake headers generated by

the spammers MTA).

You can't. But this is already the case with SPF and SRS. I
can generate
a mail with a reverse-path something like:
      
SRS0=xx=yy=ashtonwoodshomes(_dot_)com=terry(_at_)srs(_dot_)infradead(_dot_)org

The recipient's ISP can't distinguish that fake from a genuine mail
which was really forwarded, in the general case. All they can
do is look
up 'srs.infradead.org' in the reputation database.


Forget about SRS, there are some serious problems with it: even Meng has 
admitted to such.

Please refute the argument with more recent and seemingly better SES solution.  
Anyone can argue
that an old solution is bad, but truly one needs to argue against the most 
recent version of the
solution.




Umm, I think this is watering down SPF too much,


Well yes, but it's _already_ that watered down. It's _already_ no more
useful than CSV, when you actually stop for a moment to consider the
situation holistically.


I have considered it holistically, your simply wrong.  CSV only does HELO 
checking.  SPF does
Mail-From checking, with optional HELO checking.

If SPF only did HELO checking, it would be no better then CSV.  But it also 
does Mail-From, and for
domains where that is possible it is definitely better (SES implemented and/or 
SRS on forwarders
where forwarding allowed)

Anyway, SPF is easier to deploy then CSV, and is more deployed then CSV.  That 
*alone* if one just
considered using the HELO checking of SPF makes SPF more userful then CSV.

Now please stop bashing products (SPF or CSV or whatever) and try be 
constructive with your
criticism (or at least show all the facts): Your responses keep looking like 
sales pitches that one
has to read between the lines to see what is really going on.

Terry Fielder
Manager Software Development and Deployment
Great Gulf Homes / Ashton Woods Homes
terry(_at_)greatgulfhomes(_dot_)com
Fax: (416) 441-9085




--
dwmw2

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper!  http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily
deactivate your subscription,
please go to

http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Sendmail white paper, David Woodhouse
Next by Date:  RE: Re: RFC 2821 and responsibility for forwarding, terry
Previous by Thread:  RE: Re: RFC 2821 and responsibility for forwarding, David Woodhouse
Next by Thread:  RE: Re: RFC 2821 and responsibility for forwarding, David Woodhouse
Indexes:  [Date] [Thread] [Top] [All Lists]