Hector Santos wrote:
----- Original Message -----
From: "Radu Hociung" <radu(_at_)ohmi(_dot_)org>
Newsgroups: spf.-.sender.policy.framework.discussion
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Monday, March 28, 2005 1:02 PM
Subject: Re: [spf-discuss] Modifications to SPF for Mask function
Why do you make the assumption that anyone who checks PRA will also
check
SPF?
Because it's only reasonable that SPF be used to reject the obvious
(forged) SPAM before DATA, and the non-envelope-forged phishing attacks
after DATA. I see no value in accepting a forged envelope, just to do
header checks on the forgery.
Perhaps I don't understand spf2/pra/mfrom/etc well enough. I thought it
depends on SPF, but not that it replaces it.
You are correct, and I admire your persistence on the matter.
But here lies the philosophical conflicts between Developers and
Administrators you will realize (if not already) soon enough. The industry
is literally confused on where these email authentication solutions should
take place.
A dynamic vs. Post SMTP solution? or Both?
For most SMTP developers, the solution is more obvious - at SMTP.
Not for the administrators whose most probable control comes with post SMTP
scripts, sieve, perl or otherwise.
Over 60-80% of all transactions are problematic - it shouldn't take much to
realize that stronger SMTP transaction management is the name of the game.
There is still a responsibility when transactions are accepted. Poor post
SMTP analysis that might reach the same conclusions puts a lot of pressure
on the "Bounce or Bit-Bucket" decision.
Over 30 to 60% of the RCPT targets are bad, it shouldn't take much to
realized that delay (MAIL FROM or HELO) verifications is a requirement, no
longer a recommendation today.
So I guess the philosophical question is... who is expected to provide
leadership in the evolution of the internet? Developers or
administrators (or end users)?
I've been using and abusing the Internet in various creative ways for
about 12 years now, and as an engineer, I can't help but think that I
have a (however small) responsability to help its evolution along.
Practically though, comparing some of the better standardized protocol
designs and some of the hacks that have been springing up, I would
entrust that responsibility to the engineers rather than the administrators.
Once you go through some of the standards, you can see how forward
thinking they were, back when they were created. And the fact that those
standards endured the test of time is a good hint that extremely careful
protocol development works.
Radu.