----- Original Message -----
From: "Julian Mehnle" <bulk(_at_)mehnle(_dot_)net>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Friday, January 07, 2005 7:51 AM
Subject: RE: [spf-discuss] Should I include major ISPs in SPF for our hosted
domains?
Nico Kadel-Garcia [nkadel(_at_)comcast(_dot_)net] wrote:
And you'd better believe that the next crop of email worms will take
advantage of the locally stored user authentication to submit their spew
into the user's own upstream SMTP sites, some of them already have.
Well, that we will never be able to prevent. Except for with per-user
message cryptography, with the user having to enter his password/-phrase
when signing and sending messages.
But once it's active per login, or you have an automatic user signature
technique, the worms can and will use it to authenticate themselves
outgoing. And correct me if I'm wrong, but what you're describing is that
SMTP AUTH should prevent SPF message rejection, allowing any useror machine
with an "authentic" account to forge anything through their authenticated
upstream site, unless the upstream site uses things to prevent this, like,
oh, say, I dunno. SPF?
This failure to perform SPF checks after some digital authentication is
exactly why I think SenderID and similar approaches are mistaken, and the
SenderID should not give an automatic SPF pass. *IF* it passes SPF, then
SenderID or other authentication techniques can apply, but SPF needs badly
to be first to keep a throttle on the email worms and spam and phishing
forgeries.