From: Stuart D. Gathman [mailto:stuart(_at_)bmsi(_dot_)com]
Sent: Thursday, September 08, 2005 1:45 PM
<...>
I use DNSMadeEasy for lots of services - good company. But last
I checked,
they still don't actively prevent cross customer forgery with their
SMTP-AUTH service. It's the usual passive "if someone complains, we'll
investigate and maybe kick them off" approach.
I only use DNS services from DNSMadeEasy, so I didn't know about that
problem.
I use Interland for mail services and they apparently do check for
cross-customer forgery. I just tried sending a message with
xyz(_at_)GoodmanAssociates(_dot_)com for MAIL FROM after authenticating to the
MTA as
sethg(_at_)GoodmanAssociates(_dot_)com (my real email address). The MTA
refused to
send the message, giving the following error message:
553 Authentication is required to send mail as
<xyz(_at_)GoodmanAssociates(_dot_)com>
Finally, somebody is getting it! Looking at their most recent customer
instructions for setting up an MUA, they only give the setup for SMTP-AUTH.
It appears all their new customers must use that system. I don't know if
they still support POP before SMTP, but with outbound port 25 blocking
becoming the norm, that is becoming a moot issue. This is a very large
hosting company. If they can switch their large customer base to SMTP-AUTH
and refuse to send mail from anything but your authenticated identity, there
is little excuse for smaller companies not to follow suit. Maybe the time
is right to start pressuring providers to provide SMTP-AUTH and enforce
submission rights. This would help adoption of SPF greatly.
--
Seth Goodman
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com