spf-discuss
[Top] [All Lists]

Re: [OT]Calling Hector Santos

2005-08-25 11:58:21
Hector Santos wrote:
----- Original Message ----- From: "Daniel Taylor" <dtaylor(_at_)vocalabs(_dot_)com>

Hardly. Neutral is for "this is probably from me". "?all" is only a valid thing to say if you have absolutely no control over your domain, because that is exactly what it says.


I underatand all that. I guess I am on record on being totally against relaxed 
policies.  It all does is gives spammers loopholes to work with, puts more 
pressure on receivers and gives the Crockers and Levines of the world more 
ammunitions to bash SPF.


Welcome to the real world, we ain't even close yet.
We've barely even started.


The real world is based on living with some trust.  Fedex man knows on my door. I see the 
truck, I see the badge, I uses the signal pad, etc, etc.  I don't expect him to walk away 
and turn around and tell me "Oh by the way, I fooled you!"

If one wants to leave in a world that is totally untrustworthed, that aint't for me. Especially when it come to software and protocols. This is all based on trust. You use something because you trust it. You trust its behavior. You really don't expect it doing harm to you. So in the same vain, I don't expect owners of SPF Domains to be sending from Neutral Machines. It doesn't make sense to me because it has no value.
Sure, it is probably better than nothing. Sure, it might feed some spam scorer, but the 
Real Person (owner) has now just put itself into a "rejection" potential.

Consider this:

    SPAM CONTENT = LOW    SPF=NEUTRAL  SENDER=REAL OWNER
    SPAM CONTENT = HIGH   SPF=NEUTRAL  SENDER=NON-REAL OWNER

What does that tell you?

It tells you only one thing: the Sender's machine has the POTENTIAL of being 
exploited and the idea of SPAM-CONTENT is so subjective, the REAL OWNER is now 
at risk.

So it doesn't make sense to me.  Sorry :-)

On a related now, what DKIM has the potential to offer is to help in these 
situtations, because they could only be one result:

    DKIM  = VALID   SPF=NEUTRAL  SENDER=REAL OWNER
    DKIM  = VALID   SPF=NEUTRAL  SENDER=NON-REAL OWNER

If DKIM was invalid for any, then INVALID + NEUTRAL is an automtic rejection.

In addition, for DKIM=VALID, this will tell me that the REAL OWNER has allowed 
a 3rd party SIGNER and the DKIM REAL OWNER SENDER SIGNING POLICY better reflect 
that (allow 3rd party).   If it doesn't then that the second transction is an 
automatic rejection.

The point here is that there is less fuzzyness.  If the real owner is going to 
use neutral, then he needs something else to remove the ambiguity and lost of 
trust.


I agree with that. That's part of why I'm being so pointed on the DKIM mailing list.

Well the problem is that people want to build automatic name based blacklists based on SPF results. That's a risk I don't care to take. Instead, I depend on people following the spec:

http://www.schlitt.net/spf/spf_classic/draft-schlitt-spf-classic-02.html#anchor8

" A "Neutral" result MUST be treated exactly like the "None" result" - That's about the one piece of receiver policy that didn't get killed.

Before people who don't run their own mail servers can do what you want, the industry will have to change.

Scott K


<Prev in Thread] Current Thread [Next in Thread>