spf-discuss
[Top] [All Lists]

Re: Andy Newton says: FTC Dismisses SPF

2005-06-24 17:25:17
Hector Santos wrote:

took me FOUR hours, grr,
It took me 4:01 hours too! <g>

Maybe we did it wrong, just preparing the answers offline using
John's plain text extract in twenty files, and then try their
file attachment function twenty times could be faster than the
ugly Web form,

That was a pain!

Oops, I thought it was an oddity of my browser.  If you also
needed a window width of roughly four physical screen widths
it might be their problem.

only two questions are directly about "PRA"

Did you talk about the potential it has for new high payload
scalability issues?

  Question: 17
  Sender-ID "PRA" is broken by design, because it abuses v=spf1 policies for
  tests that will result in bogus PASS and bogus FAIL results. By itself
  (using spf2.0/pra policies designed for "PRA") its value is utter dubious,
  among others it might not work for: - RfC 2476 MSAs enforcing submission
  rights (6.1) without setting a Sender (8.1) - mailing lists not setting a
  Sender (e.g. only Errors-To) - moderated newsgroups (mail from news server
  to moderator) - MUAs not showing the tested "PRA" (e.g. a Resent-Sender) Its
  value as "anti-phishing" tool for legacy (= all) MUAs is dubious, if
  "phishers" create bogus Resent-header fields. Unlike v=spf1 it does almost
  nothing against "backscatter". But the opposite is also true, v=spf1 does
  almost nothing against "phishing" for similar reasons, legacy MUAs don't
  display the tested Return-Path (MAIL FROM).

  Question: 18
  See previous answer. PRA-"experiments" with v=spf1 policies without the
  explicit consent of the publisher of the policy are unethical and abuse.
  Offering some "opt-out scheme" to justify this abuse of the installed v=spf1
  base for another incompatible "PRA" test is unethical and abuse. Several
  proposals for an explicit "opt-in" for those who want it exist. The first
  v=spf1 policies were published almost one year before "PRA" was formulated.
  The problems are all well known, undisputed, published numerous times,
  identified by the former IETF MARID WG, and reported to the IESG again and
  again.

  Question: 19
  MTAMARK and SIQ are promising. Reputation systems combined with SPF and
  other standards by SIQ might help to reduce the overhead of different
  independent standards. CSV, SES, and DKIM might be also interesting. For
  normal simple cases SPF and CSV HELO-tests might be similar, but CSV also
  guarantees to be simple (unlike SPF). OTOH there's no much deployment, that
  might change depending on the abuse of v=spf1 by "PRA".

More technical issues about MAIL FROM != PRA with test reports
about a Sympa mailing list and a RfC 2476 (6.1 but no 8.1) MSA
added to other questions.  Privacy issues of RfC 2476 8.1 incl.
"maybe illegal in Germany" also mentioned earlier.

                           Bye, Frank