Hector wrote:
"v=spf1 ?a:spammer-example.com -all"
and the server [sender] always send mail with the email domain:
spammer-example.com
Alex replied to hector:
So?
The host with name "spammer-example.com" is emiting email with domain
"spammer-example.com" which is exactly what we want.
Maybe I don't get where you're going at. I think one of us has a bad day
and I sure hope it's you, (not too bad though) :)
HA!! I don't wish the worst even on my enemies :-)
I think we are more in agreement than not.
My only point is that relaxed provisions does put the burden on the
receiving system to decide how to handle relaxed results and I am on the
strong technical opinion, that this will get out of hand eventually once SPF
is widely adopted. It is obvious to me. It was obvious to spammers for
SMTP too when they saw they an issue ANY domain for HELO or MAIL FROM with
little harm to them.
So it doesn't make sense to me when we had:
Original SMTP system:
MAIL FROM: domain ---> weak and/or no checking
And we add SPF to add some level of "strength"
Original SMTP system + SPF:
MAIL FROM: domain ---> stronger checking
Only to go back to square one with a SPF relax policy.
Original SMTP system + SPF with relaxed domain policy:
MAIL FROM: domain ---> indecision with relaxed result.
So we add checking to a no checking system and then keep a key under the
potted plant by making the checking ineffective by supporting relaxed
policies.
My proposal is to make the relax provisions time limited. Its the only way
to address this without breaking the current specification. But we need to
make it know to all systems that their relaxed policy will be expiring if
they don't get their network secured within a specific time since first
publishing the policy in DNS.
----
Hector Santos, CTO
Santronics Software, Inc.
http://www.santronics.com
http://www.winserver.com/wcsap (Wildcat! Sender Authentication Protocol)
http://www.winserver.com/spamstats (WcSAP Anti-Spam Stats)