-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Julian
Mehnle
Sent: Tuesday, May 17, 2005 8:15 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: [spf-discuss] People keep misunderstanding what "Pass" and
"Neutral" mean (was: Time to start rejecting on neutral?)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Guy wrote:
I have never liked NEUTRAL. It is like NONE. So, no point.
I would like to see something between PASS and NEUTRAL, maybe NORMAL, or
EXPECTED. This would be used for a shared MTA like I must use since my
IP address is dynamic and on some blacklists as such. It is NORMAL for
mail to come from me via my ISP's MTA. But I should not use PASS since
it can be forged, and I can't promise I really sent it.
People keep misunderstanding what "Pass" and "Neutral" mean:
| 2.5.3. Pass
|
| A "Pass" result means that the client is authorized to inject mail
| with the given identity. [...]
| 2.5.2. Neutral
|
| The domain owner has explicitly stated that they don't know whether
| the IP address is authorized or not. [...]
"Pass" does not (or should not) mean that the identity is
guaranteed not to
be forged, it just means that the sending host has been authorized by the
domain owner to use this identity.
- From a theoretical point of view, mail from shared MTAs should
get "Pass",
too, like mail from secure sources. SPF cannot take on the task of
securing shared MTAs -- the operators of those have to take care of that
by themselves. Also from a theoretical point of view, "Neutral" ("?") is
mostly pointless because it doesn't make sense to say "I don't know
whether that IP address is authorized" -- the publisher by definition
should know which hosts he wants to authorize. It is _his_ decision.
Now, in practice, many policy publishers apply "?" to their shared MTAs
because they don't trust them to prevent cross-user forgery. That doesn't
accurately describe what they mean, but it usually does what they want.
I guess it depends on what the meaning of the word is, is.
Does ...client is authorized... mean that is authorized to send __THIS__
message?
Does ...client is authorized... mean that is authorized to messages, but makes
no statement about the authorization of __THIS__ message?
If it's the former (and that's been the predominant interpretation on
spf-discuss for the last year I think), then you can use Meng's domain based
RBL approach, but shared MTA users beware of cross-customer forgery:
http://spf.pobox.com/faq.html#churn
If it's the latter, then that isn't appropriate and you have to fall back to
HELO/EHLO for the identity upon which to base reputation:
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200407/0029.html
It it is that latter, I believe that Doug Otis is right and SPF mail-from is
not terribly useful as a basis for reputation. When SPF was called Sender
Permitted From, that implied one definition. I think we've moved to the other
for some time now.
Scott K