spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Should I include major ISPs in SPF for our hosted domains?

2005-01-07 05:03:34
from [Nico Kadel-Garcia] [Permanent Link]
----- Original Message ----- From: "Hector Santos" <winserver(_dot_)support(_at_)winserver(_dot_)com> 
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Friday, January 07, 2005 6:03 AM
Subject: Re: [spf-discuss] Should I include major ISPs in SPF for our hosted domains? 




----- Original Message -----
From: "Julian Mehnle" <bulk(_at_)mehnle(_dot_)net>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Thursday, January 06, 2005 9:10 PM
Subject: RE: [spf-discuss] Should I include major ISPs in SPF for our hosted 
domains?



I meant:
1. Notice the SMTP-AUTH identity. See if MAIL FROM matches the SMTP-AUTH 
    identity.  If not, reject the MAIL FROM.
2. Notice the SMTP-AUTH identity. See if MAIL FROM matches the SMTP-AUTH 
    identity.  If not, simply override MAIL FROM with an e-mail address
    that is appropriate for the SMTP-AUTH identity.

Thanks for correcting me.


Allow me to correct you again! :-)
Once an SMTP AUTH session is established, everthing else is MUTE! SPF does 
not apply.
Yes, it does, because a SOFTFAIL, or for sites that merely SPF publish but don't block messages, a REJECT message, is now available for other more complex mailfilters to operate upon. This is especially true in testing setups, where you're gathering SPF statistics rather than simply turning it on abruptly and wholesale. 


SPF should augment the existing system by helping in filling in the holes
for Anonymous SMTP Transactions.  An SMTP AUTH session is not anonymous.
No. Lack of anonymity is not the point, forgery is. Whether the user has authorized the message doesn't mean their *domain* permits that message.
And you'd better believe that the next crop of email worms will take advantage of the locally stored user authentication to submit their spew into the user's own upstream SMTP sites, some of them already have. 


The SPFC (SPF Council) should not take on issues that are already part of
the system to establish credentials.   What you propose takes away from
backward compatibility, hence adds a greater barrier to adoption.   In
addition, the SMTP AUTH concept is highly backend dependent.
Well, true about backend dependencies, but it's not fair to say "except for SMTP AUTH messages". It adds a nasty layer of complexity in the SPF filtering that's not necessary.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Should I include major ISPs in SPF for our hosted domains?, Hector Santos
Next by Date:  RE: Should I include major ISPs in SPF for our hosted domains?, Julian Mehnle
Previous by Thread:  Re: Should I include major ISPs in SPF for our hosted domains?, Hector Santos
Next by Thread:  RE: Should I include major ISPs in SPF for our hosted domains?, Julian Mehnle
Indexes:  [Date] [Thread] [Top] [All Lists]