spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Re: Fw: SRS vs BATV

2006-02-16 20:57:09
from [Mark Shewmaker] [Permanent Link] 
On Fri, Feb 17, 2006 at 03:47:26PM +1300, Craig Whitmore wrote:


My thoughts on this are.. if someone sends from an email address it HAS to
be valid (or how do you ever bounce back to it?)


Maybe you could restate that..  I think your wording confuses
the multiple types of "from"s, and you're also using "valid"
as a noun instead of an adjective, (which leads to the question "it has
to be a valid what?"), so your claim is a bit nebulous.

However, I would agree to the extent that an address used as an argument
to a non-null MAIL FROM should be a valid address for bounces.

Or to be clearer, I would claim that:

1.   Non-Null MAIL FROM addresses must be valid addresses to send bounces
     messages to.

2a.  Non-Null MAIL FROM addresses may or may not be valid addresses to send
     non-bounce messages to.

2b.  Valid addresses to send non-bounce messages to may or may not be
     valid addresses to send bounce messages to.

3.  Various addresses that are found in body headers may or may not
    be valid addresses for bounces.

(I'm ignoring side issues such as other forgery checks and
timeout/denial-of-service type checks.)

So in other words, I think it's perfectly valid to have a system in
which:

1.  "user(_at_)example(_dot_)com" is a valid address for non-bounce messages but
    not bounce messages, while
2.  "34759127591(_at_)example(_dot_)com" is a valid address for bounce messages
    but not non-bounce messages, and
3.  "user(_at_)example(_dot_)com"'s emails are sent with
    "MAIL FROM:<34759127591(_at_)example(_dot_)com>", with 
"user(_at_)example(_dot_)com" as
    a body header FROM.  (Or Sender, Reply-To, etc.)

So in that situation, verifying the "validity" of "user(_at_)example(_dot_)com"
using a bounce test, or verifying the "validity" of 
"34759127591(_at_)example(_dot_)com"
using a non-bounce test, will return incorrect results.

But verifying that the bounce address could receive bounces, or
verifying that the non-bounce-address could receive non-bounces, are
both more likely to be valid.  (Or at least, they shouldn't give false
negatives.)

-- 
Mark Shewmaker
mark(_at_)primefactor(_dot_)com

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Re: Fw: SRS vs BATV, Stuart D. Gathman
Next by Date:  Re: [spf-discuss] Re: Fw: SRS vs BATV, william(at)elan.net
Previous by Thread:  Re: [spf-discuss] Re: Fw: SRS vs BATV, Craig Whitmore
Next by Thread:  Re: [spf-discuss] Re: Fw: SRS vs BATV, william(at)elan.net
Indexes:  [Date] [Thread] [Top] [All Lists]