On Wed, 6 Jul 2005, David Woodhouse wrote:
On Wed, 2005-07-06 at 15:50 -0400, Stuart D. Gathman wrote:
BATV and SES are great too. I use SES to block forged bounces. I don't
currently use them for authentication because of the replay problem, but I
am open to solutions (like message body hashes), and have spent time on the
SES project.
I'm confused by that. There are a large number of people who won't use
SPF because of false rejections caused by the forwarding problem. Many
many recipients won't ever use SPF. Yet you think the vanishingly small
chance of a signed reverse-path being harvested is _more_ relevant?
A harvested reverse-path is only marginally useful for current bulk
spamming practice. However, it is extremely useful for someone who
wants to impersonate me. That is why BATV and (original) SES are
great for blocking forged mail, but no good for authentication.
In other words, I don't want someone to get an email ostensibly from
me with a signed header that says it is really from my server, but
in reality it is not me, but anyone who got an email from me in the
last few hours, or controls a zombie that got such an email.
So I *would* use BATV/SES in a negative mode:
"v=spf1 a mx -exists:_not_ses.mydomain.com ?include:roamingisp.com -all"
That would say that mail from roamingisp.com *might* be from me, but
not if it doesn't have a proper signature.
But I would not use them in a positive mode:
"v=spf1 a mx +exists:_not_ses.mydomain.com -all" # don't like this
Because I want my PASS to be a pretty strong assertion. Forging an
SPF PASS email from me should be at least as hard as spoofing an IP
address.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.