On Sun, 25 Sep 2005 15:52:30 +0200 Alex van den Bogaerdt
<alex(_at_)ergens(_dot_)op(_dot_)het(_dot_)net> wrote:
On Sun, Sep 25, 2005
Do we really care?
It doesn't matter if it is the user itself or a zombie. That machine is
the spam
source/is relaying spam. That machine should be taken out of the
network/be isolated.
This is both valid from an SPF standpoint and from an anti-spam standpoint.
I am not defending ISPs that do not combat these kind of users. However, there
is, IMHO, no need for an ISP to use password based authentication if they are
doing source address based authorization (PVC, ip address, whatever).
Am I wrong?
No, but from an SPF/anti-forgery question it does matter if the ISP permits use
of an arbitrary
Mail From.
If Mail From is the ISP domain, then network based access controls and
active management should be sufficient relative to domain based
anti-forgery technologies. If Mail From is not from the ISP domain, then
if the ISP is going to prevent cross-user forgery more is necessary.
It would require both technical measures to limit use of arbitrary Mail
From and administrative processes to determine if a user should be allowed
to send using a particular Mail From. I expect it's the latter that stops
most ISPs.
Scott K
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com