spf-discuss
[Top] [All Lists]

Re: Problem with SID

2005-06-22 10:00:12
Alex van den Bogaerdt wrote in spf-discuss:

 [draft-lyon-senderid-core-01 ch. 3.4 "SHOULD abuse v=spf1"]
That doesn't mean I think this is a big issue, there are
(IMHO) just too many hurdles for spammers to take this
route and still be efficient.

For ordinary spammers, yes,  For phishers, no.  PRA claims
to be "anti-phishing", and checking the PRA against policies
designed for a MAIL FROM mailbox address won't work in some
cases.  For those who are affected it's a very big issue.

All in all it might be unlikely, and the worst is a bogus
PRA-FAIL for my mails on Sympa mailing lists sometimes.

Or maybe I can't post articles in some moderated newsgroups.
I'd know how to submit articles directly to the moderator
of say nanas, no big issue, maybe no NG access for others.

But a bogus PRA-PASS with almost zero effort - all they need
is an account at a mail provider publishing v=spf1 like GMX -
can have devastating effects.

I just need a free GMX account, use a correspondig MAIL FROM,
and then I'm free to generate a bogus PRA-PASS for millions
of GMX customers by abusing their 2822-From.

Yeah, they'd kick me when they get me.  I get a new acoount.
This is the PRA-PASS phishing super-highway.

you can publish the PRA record if it is that important for
you

Opt-out of a criminal scheme instead of fighting the abuse is
generally no option.  It's like negotiations with kidnappers.

Do you think the majority of them won't add a "Sender:"
header or something similar?

The majority won't, it's a serious privacy issue, it might be
even illegal in my country.  When Keith and Hector talk about
such problems it's no science fiction, it's also about civil
rights like anonymous mail, see fresh IETF SMTP threads about
draft-hutzler-spamops.

I think they have a right to experiment

With those who explicitly consent.  I did not.  GMX did not,
or at least I don't think they did, no sp2.0/pra or op=pra.

Experiments with non-consenting folks are generally unethical.

calling people retards.

Okay, I offered "excessive technical incompetence or outright
corruption" on mxcomp, they pick what they like.  Bye, Frank

P.S.:  Another RfC 2026 (6.5.2) copy now to chair(_at_)ietf(_dot_)org




<Prev in Thread] Current Thread [Next in Thread>