On Sat, 25 Jun 2005, Hector Santos wrote:
I see, so can we generalize it like so?
Benefits:
- Can address Social Engineering issues (i..e, phishing) at the MUA
by displaying the PRA
Concerns:
- Requires adaptation (change) by MUAs to display PRA
- Requires two SPF records (SPF1 and SPF2.0/PRA) ???
Is this last concern correct?
- Requires a distinct SPF2.0/PRA record (or a single multi-scope aware
record, e.g. op=pra) to be useful. Reusing SPF1 only records for PRA
is evil and will make phishing easier.
- Does not help MTAs efficiently filter abusive senders unless
SPF1 is checked first.
I know that is awkward. MSs strategy makes it difficult to explain.
PRA could still be useful against phishing without SPF1, and
that helps end users.
However, MTA admins want to know who/what is sending spam,
so they can block it before it ever gets to the end user, and
in fact before they have to waste bandwidth and resources receiving
the forgery. SPF1 helps by preventing (providing tools to prevent) MAIL FROM
forgery so that reputations, blacklists, and whitelists can be reliably based
on MAIL FROM. While reputations and such could conceivably be based on PRA,
that would require receiving the entire message before rejecting it. The
SUBMITTER optimization only works for legitimate messages. I get 30,000
forgeries every day, and only a few dozen real messages.
So, if MS wasn't so focused on world domination, SenderID
could benefit end users (Microsofts primary monopoly) by making
phishing harder, while SPF1 benefits mail admins by providing a tool
to reliably filter by MAIL FROM rather than IP.
If you are implementing SenderID in an MTA, you want to eliminate
the MAIL FROM forgeries first using SPF1, since that is cheap, before
you do the Sender-ID check.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.