spf-discuss
[Top] [All Lists]

Know thy forwarders (was: SPF+SRS vs. BATV)

2005-07-05 14:40:39
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Woodhouse wrote:
On Tue, 2005-07-05 at 20:32 +0200, Julian Mehnle wrote:
Absolutely true.  Note, however, that they don't have to refrain from
rejecting on SPF "Fail" for _all_ the mail they receive, but just for
that received from their configured forwarders.

Er, the whole point was they they can't _tell_ which mail is from
forwarders, 'configured' or otherwise.

Well, maybe that is _your_ point, but reality requires it to be wrong, and 
here's why:

Receivers _must_ know "their" forwarders in order to trust them, otherwise 
everybody could just claim to be a forwarder and abuse the e-mail system.  
This does not apply just to envelope sender forgery, but to any type of 
abuse, which will ultimately have to be translated into reputation for the 
sender.  (In this regard, by the way, subscribing to a forwarding service 
isn't really any different from subscribing to any other type of e-mail 
service such as a mailing list or newsletter.)  If abusers were allowed to 
evade accountability, e.g. for (ab)using any envelope sender whatsoever, 
by just claiming to be forwarders, the system would be guaranteed to die.

Now you could still say that it is practically impossible for receivers to 
know their forwarders, but the logical consequence of that position would 
be to entirely abolish forwarding as we know it today.  If you want to 
move into that direction, you might want to try getting "551 User not 
local; please try <forward-path>"-style redirecting widely implemented 
(see RFC 2821, section 3.4).  This might actually be worthwile.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCyv5XwL7PKlBZWjsRAqhHAKDlLGSQxYQFfpwS3kTbQLCmt2WypQCgmPZq
0If4PaBlYA19KJBgQK2TlAU=
=v3vg
-----END PGP SIGNATURE-----


<Prev in Thread] Current Thread [Next in Thread>