spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Request for Input on the meaning of "pass".

2005-06-03 09:59:32
from [Julian Mehnle] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all.

To provide an additional data point to the debate, for those in particular 
who insist that draft-schlitt-spf-classic must document legacy behavior 
and that adding the concept of "responsibility" to the definition of 
"Pass" would be a change to such legacy behavior, I'd like to quote draft- 
mengwong-spf-00, section 8.10:

| 8.10 Changes to Existing Semantics
| 
| 8.10.1 The Return-Path is now also a Responsible Sender
| 
|    From RFC2821:
| 
|       The <reverse-path> portion of the first or only argument contains
|       the source mailbox (between "<" and ">" brackets), which can be
|       used to report errors (see section 4.2 for a discussion of error
|       reporting).
| 
|    When SPF is used to authenticate the return-path, the domain in the
|    source mailbox is now also the party responsible for sending the
|    message.
| 
|    This semantic change is justified by the desire to control joe-jobs.
|    Joe jobs are a distributed denial of service attack against a given
|    address executed by forging messages using a victim sender address
|    and sending them to thousands of recipients.  Inevitably, some of
|    those delivery attempts fail, and bounce messages are generated to
|    the victim sender address.  These unwanted bounce messages can end up
|    crippling the victim mailbox.  SPF gives these potential victims a
|    way to protect their mailboxes.  With SPF, senders can now control
|    the use of their address in the return-path.

Note in particular the middle paragraph.  draft-mengwong-spf-00 is dated 
2003-02.  The same section exists in -01, dated 2004-05, with only this 
slight modification:

|    When SPF is used to authenticate the return-path, the domain in the
|    source mailbox is now also considered accountable for injecting the
|    message into the mailstream.

Also, both drafts use the term <responsible-sender> all over the place 
(where draft-schlitt-spf-classic now uses <sender>, which IMO is OK since 
it is much shorter).

Responsibility of the domain has always been an essential part of SPF.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCoIx1wL7PKlBZWjsRAoGHAJ48eOv+3Qqi2vf5sm0TIC987DVJOQCglV4p
lcTjM8i4FHACwUnsES/1dpk=
=JW+1
-----END PGP SIGNATURE-----
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: bogusmx, Julian Mehnle
Next by Date:  Re: DK and IIM have merged, Hector Santos
Previous by Thread:  Re: Request for Input on the meaning of "pass"., Julian Mehnle
Next by Thread:  Re: Request for Input on the meaning of "pass"., Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]