spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Request for Input on the meaning of "pass".

2005-06-02 18:52:02
from [Alex van den Bogaerdt] [Permanent Link] 
On Fri, Jun 03, 2005 at 03:33:14AM +0200, Julian Mehnle wrote:


Now suppose domainowner.example.ORG is a spammer.

4c)  abuse(_at_)domainowner(_dot_)example(_dot_)ORG replies:
     "I authorized smtp.example.COM to send mail using my domain, but that
     does not mean the domain in the abuse message you complained about was
     authentic.  Anybody at smtp.example.COM could have sent it."

5c1) Complainant thinks:
     "Ok, so I got an SPF Pass but I cannot hold his domain responsible.
     WTF is it with SPF Pass?"


Me thinks this is a clear case of an unresponsible domain owner
which deserves being bla^Hocklisted.


or
5c2) Complainant thinks:
     "Bullshit.  I'll blacklist his domain anyway.  It's _his_ job not to
     assert SPF Pass if he cannot prevent others at smtp.example.COM from
     using his domain."

Now, some may think that the answer to "WTF is it with SPF Pass?" is that 
even though "Pass" may not assert authenticity, it at least prevents 
misdirected bounces.  Far from it!  Anybody at smtp.example.COM could have 
sent it (the original message)!  And domainowner.example.ORG gets the 
bounces, whether he is a spammer or not.


But that's not important.  It is the sequence of events after this
happens what matters.  Does or doesn't the domain owner take action?
Which action?  Does he stay with the insecure host or not? Can you
trust mail from "domainowner.example.ORG" or not?

It doesn't matter who send the message.  If it goes through an
authorized host, domainowner.example.ORG has to deal with abuse.


Ergo it is, in _any_ case, not very useful to assert "Pass" for MTAs who do 
not prevent cross-customer forgery, even if "Pass" just means "you can 
send me the bounces".


I happen to know a host that I fully trust but which does not
prevent cross customer forgery.  If I want to say "+thathost"
then it's _my_ domain's reputation on stake.  You cannot comment
on this host as you know nothing of this host.  If the situation
changes, I will have to take action (and be quick about it) or
else _my_ reputation is damaged due to _me_ trusting this host.
Please don't speak for me (... in _any_ case...).


"Pass" really cannot mean anything other than a full "authentic" AKA "you 
can hold my domain responsible".  q.e.d.


I deal with complaints, having send the message or not.
Authentic != {accountable|responsible}.

Alex
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Request for Input on the meaning of "pass"., Chris Haynes
Next by Date:  Re: Request for Input on the meaning of "pass"., wayne
Previous by Thread:  Re: Request for Input on the meaning of "pass"., Julian Mehnle
Next by Thread:  Re: Request for Input on the meaning of "pass"., Julian Mehnle
Indexes:  [Date] [Thread] [Top] [All Lists]