spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Time to start rejecting on neutral?

2005-05-17 12:56:42
from [Daniel Taylor] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hector Santos wrote:

----- Original Message -----
From: "Daniel Taylor" <dtaylor(_at_)vocalabs(_dot_)com>


Relaxed results can get people using the system, and with other tools
(mimedefang, bayesian filtering, etc.) can be useful in any event.



I agree and realize it. But I am afraid without a written in stone
Expiration Policy for Relaxed provisions,  it will be exploited.   As I
stated, with SPF we attempt to close to "relaxed SMTP" loophole where SMTP
allowed the sender to use any domain. Relaxed SPF policies will take us back
to square one.

The last thing I want to see recurring is this statement in RFC 2821:

| 7.1 Mail Security and Spoofing
|
|    ....
|
|    This specification does not further address the authentication issues
|    associated with SMTP other than to advocate that useful functionality
|    not be disabled in the hope of providing some small margin of
|    protection against an ignorant user who is trying to fake mail.

Well, today,  we all know this that it is not just a few "ignorant user"
trying to fake mail, but a multi-million, if not billion dollar spamming
industry.

Lets not repeat this by wrongly assuming that a SPF relaxed provision will
only be exploited by "a few ignorant users who is trying to fake mail."


Good point, you know this, I know it, I think the important thing is not
making the relaxed results have mandatory expirations, but making sure
that domain owners know why they don't want to use relaxed results
unless absolutely necessary.

Personally, I think that establishing a reputation system that treats
spam with relaxed results as _possibly_ from the claimed domain would
be a nice incentive. This is already being done on an ad-hoc basis
(reject aol.com on NEUTRAL anyone?) but could be formailised.

I need to think through the implementation details. This should be
possible now.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCikx68/QSptFdBtURAvUaAJ0fV5B3jh35J5whXHGpmKjavjFamgCfXnpS
g4ZNty6SnGNd86UQbPgQrMo=
=fKdq
-----END PGP SIGNATURE-----
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Time to start rejecting on neutral?, Hector Santos
Next by Date:  Re: Time to start rejecting on neutral?, Hector Santos
Previous by Thread:  Re: Time to start rejecting on neutral?, Hector Santos
Next by Thread:  Re: Time to start rejecting on neutral?, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]