spf-discuss
[Top] [All Lists]

Re: Modifications to SPF for Mask function

2005-03-28 13:18:19


Hector Santos wrote:
----- Original Message -----
From: "Radu Hociung" <radu(_at_)ohmi(_dot_)org>
Newsgroups: spf.-.sender.policy.framework.discussion
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Monday, March 28, 2005 1:02 PM
Subject: Re: [spf-discuss] Modifications to SPF for Mask function



Why do you make the assumption that anyone who checks PRA will also

check

SPF?

Because it's only reasonable that SPF be used to reject the obvious
(forged) SPAM before DATA, and the non-envelope-forged phishing attacks
after DATA. I see no value in accepting a forged envelope, just to do
header checks on the forgery.

Perhaps I don't understand spf2/pra/mfrom/etc well enough. I thought it
depends on SPF, but not that it replaces it.


You are correct, and I admire your persistence on the matter.

But here lies the philosophical conflicts between Developers and
Administrators you will realize (if not already) soon enough.  The industry
is literally confused on where these email authentication solutions should
take place.

A dynamic vs. Post SMTP solution?  or Both?

For most SMTP developers, the solution is more obvious - at SMTP.

Not for the administrators whose most probable control comes with post SMTP
scripts, sieve, perl or otherwise.

Over 60-80% of all transactions are problematic - it shouldn't take much to
realize that stronger SMTP transaction management is the name of the game.
There is still a responsibility when transactions are accepted.  Poor post
SMTP analysis that might reach the same conclusions puts a lot of pressure
on the "Bounce or Bit-Bucket" decision.

Over 30 to 60% of the RCPT targets are bad,  it shouldn't take much to
realized that delay (MAIL FROM or HELO) verifications is a requirement, no
longer a recommendation today.

So I guess the philosophical question is... who is expected to provide leadership in the evolution of the internet? Developers or administrators (or end users)?

I've been using and abusing the Internet in various creative ways for about 12 years now, and as an engineer, I can't help but think that I have a (however small) responsability to help its evolution along.

Practically though, comparing some of the better standardized protocol designs and some of the hacks that have been springing up, I would entrust that responsibility to the engineers rather than the administrators.

Once you go through some of the standards, you can see how forward thinking they were, back when they were created. And the fact that those standards endured the test of time is a good hint that extremely careful protocol development works.

Radu.