spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Email ID Declaration - Summary of Objections

2005-05-23 10:05:33
from [Mark Shewmaker] [Permanent Link] 
On Mon, May 23, 2005 at 09:21:47AM -0700, David MacQuigg wrote:

The statements of the objections are brief, and I hope accurate.


Imagine a sender attempts to send a message with statements such as:
(For simplicity I'm just showing part of the sender's side of the smtp
conversation.)

  EHLO a.example.com
  MAIL FROM:<user(_at_)b(_dot_)example(_dot_)com>
  [...]
  DATA
  [...]
  Resent-Sender: user(_at_)c(_dot_)example(_dot_)com
  [...]
  .

(And just to make things even more simple, let's assume that MS decided
to actually license their senderID patent claims in an open-source
compatible way, and that the technical problems with it were resolved.)

I would want to reject the mail as being a forgery if any of the
following is true:

1.  a.example.com claims via its spf or csv record that the client
    is forging its name in the helo string.

2.  b.example.com's spf record says via its spf record that the
    client does not have its permission to use 
"user(_at_)b(_dot_)example(_dot_)com"
    in this way.

3.  c.example.com says that the client does not have its permission
    to use "user(_at_)c(_dot_)example(_dot_)com" as a pra.

I then want to reject the mail if any of the following reputation
problems exist:

1.  If my trusted reputation server tells me something bad about 
    user(_at_)b(_dot_)example(_dot_)com

2.  If user(_at_)b(_dot_)example(_dot_)com doesn't get an spf pass and my 
trusted
    reputation server tells me something bad about a.example.com

    (I'm fine with receiving mail from "good" domains sent from
    spammy servers.)

3.  If my trusted reputation server tells me something bad about
    user(_at_)c(_dot_)example(_dot_)com(_dot_)

How does an "ID d.example.com", which presumably tells me c's claims
about what *it* is okay with me doing, help me with the above?

Now, I can see that:

1.  I'll have another way of rejecting mail as a forgery.
    That is, I can reject mail connections that d.example.com's ID
    record claims is a forgery.

2.  I'll also have another way of rejecting mail for reputation reasons,
    if repuation servers are made for recording reputation of mail that
    ID's have said pass their tests.

However, I don't see how either of those things help me accomplish my
preexisting goals.

So again, how *exactly* does an ID claim from an untrusted party help me
accomplish my listed goals?

-- 
Mark Shewmaker
mark(_at_)primefactor(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Email ID Declaration - Summary of Objections, David MacQuigg
Next by Date:  Re: Confusion about draft-schlitt-spf-classic-01 (SPF-Classic), william(at)elan.net
Previous by Thread:  Re: Email ID Declaration - Summary of Objections, Alex van den Bogaerdt
Next by Thread:  Re: Email ID Declaration - Summary of Objections, David MacQuigg
Indexes:  [Date] [Thread] [Top] [All Lists]