spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [spf-discuss] Can this really be true?

2005-09-25 03:47:21
from [Seth Goodman] [Permanent Link] 
From: Dick St.Peters [mailto:stpeters(_at_)NetHeaven(_dot_)com]
Sent: Saturday, September 24, 2005 9:03 PM


<...>


Actually, I take that back.  What matters is that spam not be sent.
How an ISP accomplishes that does not matter except to the ISP and its
users.  Can we agree on that much?


At the end of the day, that's most of what everyone cares about.  But for
large ISP's, policing the users is a major task.  One of the things that
makes spamming a good business is that you can easily impersonate any
desired identity.  That can be stopped by enforcing submission rights.
Though you could do this with POP before SMTP, it is much more practical
with SMTP-AUTH since other ISP's don't block authenticated submission ports.
Not that Exim is the last word in MTA's, but the default setup in the
current version is that the return-path has to match the authenticated
identity and if the From: header does not, it actually adds a Sender: that
does match.  I'm not suggesting that most sites use it that way, but the
fact that those are the defaults does make a statement.

The return-path part of that policy is exactly what SPF is designed to
accomplish.  In fact if everyone enforced submission rights this way, there
would be no need for SPF.  This doesn't stop anyone from spamming, just as
SPF doesn't.  What it does prevent is someone spamming and claiming to be
billing(_at_)ebay(_dot_)com or president(_at_)whitehouse(_dot_)gov(_dot_)  
Their phish would not be very
effective if the From: address was hsmith(_at_)comcast(_dot_)net(_dot_)  Thus, 
while
enforcing submission rights at an MSA and checking SPF at the receiving MTA
does not prevent spamming, those policies make it a lot harder to make a
living at spamming and a lot easier to identify who sent a given piece of
spam.  Enforcing submission rights and publishing definitive SPF records go
hand in hand.

Mail providers still have to police their users if they don't want to get a
reputation like MSN.  While that's arguably easier when the originator
headers are known to be accurate compared to figuring out who had a given IP
at a given time, the main benefit is making a given mail account useless as
a place from which to send phishes.


--

Seth Goodman

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [spf-discuss] Re: Can this really be true?, Frank Ellermann
Next by Date:  Re: [spf-discuss] Can this really be true?, johnp
Previous by Thread:  Re: [spf-discuss] Can this really be true?, Dick St.Peters
Next by Thread:  Re: [spf-discuss] Can this really be true?, johnp
Indexes:  [Date] [Thread] [Top] [All Lists]