-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all.
To provide an additional data point to the debate, for those in particular
who insist that draft-schlitt-spf-classic must document legacy behavior
and that adding the concept of "responsibility" to the definition of
"Pass" would be a change to such legacy behavior, I'd like to quote draft-
mengwong-spf-00, section 8.10:
| 8.10 Changes to Existing Semantics
|
| 8.10.1 The Return-Path is now also a Responsible Sender
|
| From RFC2821:
|
| The <reverse-path> portion of the first or only argument contains
| the source mailbox (between "<" and ">" brackets), which can be
| used to report errors (see section 4.2 for a discussion of error
| reporting).
|
| When SPF is used to authenticate the return-path, the domain in the
| source mailbox is now also the party responsible for sending the
| message.
|
| This semantic change is justified by the desire to control joe-jobs.
| Joe jobs are a distributed denial of service attack against a given
| address executed by forging messages using a victim sender address
| and sending them to thousands of recipients. Inevitably, some of
| those delivery attempts fail, and bounce messages are generated to
| the victim sender address. These unwanted bounce messages can end up
| crippling the victim mailbox. SPF gives these potential victims a
| way to protect their mailboxes. With SPF, senders can now control
| the use of their address in the return-path.
Note in particular the middle paragraph. draft-mengwong-spf-00 is dated
2003-02. The same section exists in -01, dated 2004-05, with only this
slight modification:
| When SPF is used to authenticate the return-path, the domain in the
| source mailbox is now also considered accountable for injecting the
| message into the mailstream.
Also, both drafts use the term <responsible-sender> all over the place
(where draft-schlitt-spf-classic now uses <sender>, which IMO is OK since
it is much shorter).
Responsibility of the domain has always been an essential part of SPF.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCoIx1wL7PKlBZWjsRAoGHAJ48eOv+3Qqi2vf5sm0TIC987DVJOQCglV4p
lcTjM8i4FHACwUnsES/1dpk=
=JW+1
-----END PGP SIGNATURE-----