----- Original Message -----
From: "Hector Santos" <winserver(_dot_)support(_at_)winserver(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Friday, January 07, 2005 6:03 AM
Subject: Re: [spf-discuss] Should I include major ISPs in SPF for our hosted
domains?
----- Original Message -----
From: "Julian Mehnle" <bulk(_at_)mehnle(_dot_)net>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Thursday, January 06, 2005 9:10 PM
Subject: RE: [spf-discuss] Should I include major ISPs in SPF for our
hosted
domains?
I meant:
1. Notice the SMTP-AUTH identity. See if MAIL FROM matches the
SMTP-AUTH
identity. If not, reject the MAIL FROM.
2. Notice the SMTP-AUTH identity. See if MAIL FROM matches the
SMTP-AUTH
identity. If not, simply override MAIL FROM with an e-mail address
that is appropriate for the SMTP-AUTH identity.
Thanks for correcting me.
Allow me to correct you again! :-)
Once an SMTP AUTH session is established, everthing else is MUTE! SPF
does
not apply.
Yes, it does, because a SOFTFAIL, or for sites that merely SPF publish but
don't block messages, a REJECT message, is now available for other more
complex mailfilters to operate upon. This is especially true in testing
setups, where you're gathering SPF statistics rather than simply turning it
on abruptly and wholesale.
SPF should augment the existing system by helping in filling in the holes
for Anonymous SMTP Transactions. An SMTP AUTH session is not anonymous.
No. Lack of anonymity is not the point, forgery is. Whether the user has
authorized the message doesn't mean their *domain* permits that message.
And you'd better believe that the next crop of email worms will take
advantage of the locally stored user authentication to submit their spew
into the user's own upstream SMTP sites, some of them already have.
The SPFC (SPF Council) should not take on issues that are already part of
the system to establish credentials. What you propose takes away from
backward compatibility, hence adds a greater barrier to adoption. In
addition, the SMTP AUTH concept is highly backend dependent.
Well, true about backend dependencies, but it's not fair to say "except for
SMTP AUTH messages". It adds a nasty layer of complexity in the SPF
filtering that's not necessary.