spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Request for Input on the meaning of "pass".

2005-06-02 18:33:14
from [Julian Mehnle] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(Readers may skip the examples if they find them too tedious.  In that 
case, read on from "Now, some may think...".)

Alex van den Bogaerdt wrote:

1) Domainowner.example.ORG expresses trust in smtp.example.COM
2) smtp.example.COM is not worth this trust
3) abuse is reported to abuse(_at_)domainowner(_dot_)example(_dot_)ORG

4a) domainowner.example.ORG adapts
5a) smtp.example.COM is no longer allowed to send ad
    domainowner.example.ORG
6a) domainowner.example.ORG uses another box to send its mail
7a) domainowner.example.ORG's reputation stays on the good side
or
4b) domainowner.example.ORG does nothing
5b) abuse continues
6b) domainowner.example.ORG's reputation goes down the drain

Note that nowhere authentication occurs yet reputation works!


Now suppose domainowner.example.ORG is a spammer.

4c)  abuse(_at_)domainowner(_dot_)example(_dot_)ORG replies:
     "I authorized smtp.example.COM to send mail using my domain, but that
     does not mean the domain in the abuse message you complained about was
     authentic.  Anybody at smtp.example.COM could have sent it."

5c1) Complainant thinks:
     "Ok, so I got an SPF Pass but I cannot hold his domain responsible.
     WTF is it with SPF Pass?"
or
5c2) Complainant thinks:
     "Bullshit.  I'll blacklist his domain anyway.  It's _his_ job not to
     assert SPF Pass if he cannot prevent others at smtp.example.COM from
     using his domain."

Now, some may think that the answer to "WTF is it with SPF Pass?" is that 
even though "Pass" may not assert authenticity, it at least prevents 
misdirected bounces.  Far from it!  Anybody at smtp.example.COM could have 
sent it (the original message)!  And domainowner.example.ORG gets the 
bounces, whether he is a spammer or not.

Ergo it is, in _any_ case, not very useful to assert "Pass" for MTAs who do 
not prevent cross-customer forgery, even if "Pass" just means "you can 
send me the bounces".

"Pass" really cannot mean anything other than a full "authentic" AKA "you 
can hold my domain responsible".  q.e.d.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCn7NawL7PKlBZWjsRAuLJAKCaU9VHg02TpORiZaxVnG3Rr5WKuwCeOedD
QQaWVt57wLC6YnN8yEzpjgQ=
=soQz
-----END PGP SIGNATURE-----
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SPF HELO fails, Alex van den Bogaerdt
Next by Date:  Re: Request for Input on the meaning of "pass"., Chris Haynes
Previous by Thread:  Re: Request for Input on the meaning of "pass"., william(at)elan.net
Next by Thread:  Re: Request for Input on the meaning of "pass"., Alex van den Bogaerdt
Indexes:  [Date] [Thread] [Top] [All Lists]