-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Wayne Schlitt wrote:
I would like to generate a list of all cases where the re-use [of SPFv1
records for PRA checking] is an actual problem. While I'm not concerned
if the cases meet MS's definition of "significant", I am very interested
in actual data on the size of the problem. Where, "size" could be the
percentage of email or the number of domains, or whatever.
The re-use issue has two dimensions: a theoretical one and a practical one,
so I'm giving a theoretical and a practical answer.
In theory, PRA checking extends SPF's forwarding problem from the envelope
sender to the message headers. That is, forwarders need to re-write the
identity being checked (envelope or header), and many don't.
The re-use problem is particularly delicate because many forms of
forwarding are done solely at the MTA level, without messages technically
leaving the transport system (i.e. being "re-sent"). According to RFC
2822, section 3.6.6, "Resent-*:" headers must be added only when a message
is reintroduced into the transport system. This means that for some types
or forwarding, forwarders are -- by design! -- not required by the RFCs to
add "Resent-*:" headers even when the PRA algorithm technically requires
it.
Yes, the same could be said of MAIL FROM checking with regard to envelope
sender rewriting. However, the concept of MAIL FROM ambiguously denoting
both the sending mailbox and the mailbox where bounces should go seems to
be much less entrenched than the concept of not having to add "Sender:" or
"Resent-*:" headers when doing alias-style forwarding. Also, right now,
support for envelope sender rewriting seems to be much better deployed
than for header rewriting.
Which brings us to the practical dimension.
In order to gather reliable numbers, we need access to an at least semi-
representative mail stream. (Personally, I don't have one.) We might
even want to institutionalize this kind of statistics gathering.
It would be great if we could get a number of sites that handle large mail
volumes to implement a common interface for anonymized/pseudonymized
statistics gathering.
With regard to examining the "v=spf1 re-use for PRA" issue, we need to know
about:
* the sending IP address,
* the MAIL FROM and HELO domains,
* the From:, Sender:, Resent-From:, and Resent-Sender: headers,
* all the Received: headers, if at all possible, and
* all the other headers (except for Subject: perhaps), if possible.
The above information would have to be processed MTA-side and then
aggregated and anonymized/pseudonymized before it is published.
Comments?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFC4UpFwL7PKlBZWjsRAgX7AKCkL6q+o6Ox2gT8nrXy0afH7vzSHgCg/nGI
VWdTCDgNIAAew0O5QvnmjsE=
=9MEk
-----END PGP SIGNATURE-----