spf-discuss
[Top] [All Lists]

Re: [OT]Calling Hector Santos

2005-08-25 12:08:30
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hector Santos wrote:
----- Original Message ----- 
From: "Daniel Taylor" <dtaylor(_at_)vocalabs(_dot_)com>

Hardly. Neutral is for "this is probably from me". "?all" 
is only a valid thing to say if you have absolutely 
no control over your domain, because that is exactly 
what it says.


I underatand all that. I guess I am on record on being totally against 
relaxed policies.  It all does is gives spammers loopholes to work with, puts 
more pressure on receivers and gives the Crockers and Levines of the world 
more ammunitions to bash SPF.

I favor strict policies myself.
It just has to be understood that a strict policy
isn't always possible due to constraints outside the
system.

Welcome to the real world, we ain't even close yet.
We've barely even started.


The real world is based on living with some trust.  Fedex man knows on my 
door. I see the truck, I see the badge, I uses the signal pad, etc, etc.  I 
don't expect him to walk away and turn around and tell me "Oh by the way, I 
fooled you!"

FedEx man won't tell you if you've been had, you will just have
some bogus (and probably malevolent) package in your hand.

If one wants to leave in a world that is totally untrustworthed, that aint't 
for me.  Especially when it come to software and protocols.  This is all 
based on trust.  You use something because you trust it.  You trust its 
behavior.  You really don't expect it doing harm to you.  So in the same 
vain, I don't expect owners of SPF Domains to be sending from Neutral 
Machines.  It doesn't make sense to me because it has no value. 

What did you expect Neutral was for?!
Just because AOL uses it for softfail doesn't mean that
is its purpose. Sometimes you simply cannot make the
level of assurance other people would like.


Sure, it is probably better than nothing. Sure, it might feed some spam 
scorer, but the Real Person (owner) has now just put itself into a 
"rejection" potential.

Consider this:

    SPAM CONTENT = LOW    SPF=NEUTRAL  SENDER=REAL OWNER
    SPAM CONTENT = HIGH   SPF=NEUTRAL  SENDER=NON-REAL OWNER

What does that tell you?

That some domain owner is going to be looking for a new hosting
provider real soon now.

It tells you only one thing: the Sender's machine has the POTENTIAL of being 
exploited and the idea of SPAM-CONTENT is so subjective, the REAL OWNER is 
now at risk.

It is an assessment of risk. If the risk of forgery is
higher then the domain owner is willing to _trust_ with
a pass result, they are going to let you know by assigning
a neutral result.

So it doesn't make sense to me.  Sorry :-)

The real world isn't black and white, not even in the digital
world. You have to take what you can get and make the best
of it you can.

On a related now, what DKIM has the potential to offer is to help in these 
situtations, because they could only be one result:

    DKIM  = VALID   SPF=NEUTRAL  SENDER=REAL OWNER
    DKIM  = VALID   SPF=NEUTRAL  SENDER=NON-REAL OWNER

If DKIM was invalid for any, then INVALID + NEUTRAL is an automtic rejection.

In addition, for DKIM=VALID, this will tell me that the REAL OWNER has 
allowed a 3rd party SIGNER and the DKIM REAL OWNER SENDER SIGNING POLICY 
better reflect that (allow 3rd party).   If it doesn't then that the second 
transction is an automatic rejection.

The point here is that there is less fuzzyness.  If the real owner is going 
to use neutral, then he needs something else to remove the ambiguity and lost 
of trust.


You want less fuzziness, use GPG/PGP signing.

Doesn't just validate the source, also validates the message.
I use GPG, yet I still see value in even fuzzy SPF results.
More so than DKIM, because SPF is easier to deploy both on the
receiver and sender sides, so it gets deployed by more sites.

DKIM is still too ambiguous and difficult to deploy to really
be a viable alternative in my world.

- --
Daniel Taylor          VP Operations            Vocal Laboratories, Inc.
dtaylor(_at_)vocalabs(_dot_)com   http://www.vocalabs.com/        
(952)941-6580x203
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDDhcu8/QSptFdBtURApwAAJ43S1SUIt784AaJrfiETZU+e5DZBACfbnfZ
ejHFCNJ+6xbHTCETEWD5gm4=
=ZqSS
-----END PGP SIGNATURE-----


<Prev in Thread] Current Thread [Next in Thread>