Hector Santos wrote:
took me FOUR hours, grr,
It took me 4:01 hours too! <g>
Maybe we did it wrong, just preparing the answers offline using
John's plain text extract in twenty files, and then try their
file attachment function twenty times could be faster than the
ugly Web form,
That was a pain!
Oops, I thought it was an oddity of my browser. If you also
needed a window width of roughly four physical screen widths
it might be their problem.
only two questions are directly about "PRA"
Did you talk about the potential it has for new high payload
scalability issues?
Question: 17
Sender-ID "PRA" is broken by design, because it abuses v=spf1 policies for
tests that will result in bogus PASS and bogus FAIL results. By itself
(using spf2.0/pra policies designed for "PRA") its value is utter dubious,
among others it might not work for: - RfC 2476 MSAs enforcing submission
rights (6.1) without setting a Sender (8.1) - mailing lists not setting a
Sender (e.g. only Errors-To) - moderated newsgroups (mail from news server
to moderator) - MUAs not showing the tested "PRA" (e.g. a Resent-Sender) Its
value as "anti-phishing" tool for legacy (= all) MUAs is dubious, if
"phishers" create bogus Resent-header fields. Unlike v=spf1 it does almost
nothing against "backscatter". But the opposite is also true, v=spf1 does
almost nothing against "phishing" for similar reasons, legacy MUAs don't
display the tested Return-Path (MAIL FROM).
Question: 18
See previous answer. PRA-"experiments" with v=spf1 policies without the
explicit consent of the publisher of the policy are unethical and abuse.
Offering some "opt-out scheme" to justify this abuse of the installed v=spf1
base for another incompatible "PRA" test is unethical and abuse. Several
proposals for an explicit "opt-in" for those who want it exist. The first
v=spf1 policies were published almost one year before "PRA" was formulated.
The problems are all well known, undisputed, published numerous times,
identified by the former IETF MARID WG, and reported to the IESG again and
again.
Question: 19
MTAMARK and SIQ are promising. Reputation systems combined with SPF and
other standards by SIQ might help to reduce the overhead of different
independent standards. CSV, SES, and DKIM might be also interesting. For
normal simple cases SPF and CSV HELO-tests might be similar, but CSV also
guarantees to be simple (unlike SPF). OTOH there's no much deployment, that
might change depending on the abuse of v=spf1 by "PRA".
More technical issues about MAIL FROM != PRA with test reports
about a Sympa mailing list and a RfC 2476 (6.1 but no 8.1) MSA
added to other questions. Privacy issues of RfC 2476 8.1 incl.
"maybe illegal in Germany" also mentioned earlier.
Bye, Frank