spf-discuss
[Top] [All Lists]

RE: Abusing SPF record for PRA testing

2004-12-12 09:47:28
If the SPF council starts sending out idiotic messages like this then it is
finished. There is no legal or moral authority behind the demand.

The objective here is to stop spam. The world does not care about your
piffling and irrelevant vendetta against Microsoft.

The Apache lawyer who objected to the Sender-Id license agreed to the exact
same term in the W3C patent negotiations, he seems to have decided to use
MARID and the IETF as an opportunity to reopen the debate in the IETF and go
for more.

Its not just engineers who get wedged on their own pet projects. 




-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com 
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of 
terry(_at_)ashtonwoodshomes(_dot_)com
Sent: Sunday, December 12, 2004 11:38 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] Abusing SPF record for PRA testing


Perhaps a representative from the SPF council should contact 
postmaster(_at_)algoritmnt(_dot_)ru indicating that PRA interpreting SPF 
records is unacceptable, with the illustration of this 
particular failure as being why.

A proposed response that the SPF council rep could use follows:

To Whom It May Concern

We have been made aware that you are using PRA to reject 
email.  This in itself is reasonable if the PRA technology is 
suitable for you, however, PRA should only use PRA records.  
PRA should *not* be set to read SPF records and apply the PRA 
algorithm, as the method of PRA and SPF are different and 
require different sender records in many cases.

For example, an email was sent to your domain and your server 
responded by saying "550 5.7.0 Caller-ID for the message does 
not match" because the "From:" domain was not the senders 
domain and the domain owner publishes ~all This was a false 
positive as the email was not forged <<<perhaps more details 
on what it was could be put here>>>

The domain owners published SPF policy is applicable to and 
should only be used against RFC 2821 Mail-From header (which 
is what SPF does).  The domain owners published SPF policy is 
NOT applicable to nor should be used against RFC 2822 from 
headers (which is what PRA does).

Please set your PRA implementation to interpret PRA against 
PRA records only in order to prevent future false positives 
and incorrect email rejection.

You may also be well advised to implement SPF checks to 
maximize protection, since SPF has a much larger 
deployment/published base then PRA and will offer better 
protection from forgery in the foreseeable future.


Terry Fielder
Manager Software Development and Deployment
Great Gulf Homes / Ashton Woods Homes
terry(_at_)greatgulfhomes(_dot_)com
Fax: (416) 441-9085


-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com 
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of 
Roger Moser
Sent: Sunday, December 12, 2004 7:13 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: [spf-discuss] Abusing SPF record for PRA testing


Just for your information:

mail.algoritmnt.ru abuses the SPF record to test the PRA 
and rejected 
a mail from my server by saying "550 5.7.0 Caller-ID for 
the message 
does not match" because the "From:" domain was not my domain and the
domain owner
publishes "~all". Only after I added a Sender header with my
domain, it has
been accepted.

Roger

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper!  http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your 
subscription, please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com


-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper!  http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily 
deactivate your subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-> 
discuss(_at_)v2(_dot_)listbox(_dot_)com