spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Re: Fw: SRS vs BATV

2006-02-16 23:12:51
Mark Shewmaker <mark(_at_)primefactor(_dot_)com> writes:

On Thu, Feb 16, 2006 at 08:06:26PM -0800, william(at)elan.net wrote:

It's something that's been bugging me in this thread, and unfortunately
it rather confuses the issue a bit as far as how you can reliably know
when you should be able to verify non-bounce addresses:

I, too, find this thread very confusing.  I think part of the
confusion comes from the idea of CBV's on a 2822 address.  I was
assuming CBV always applied to the envelope sender.  To me, 2822 CBVs
don't make sense for a number of reasons:

  - It seems like you can easily cause CBV loops this way.

  - A 2822 address is much more expensive to do CBV on, since you have
    to get the whole message first.

  - A 2822 address is much more awkward to do CBV on, since you may
    have multiple RCPT TO: commands.  For example, if you have an
    address help(_at_)whatever for customers having problems with DNS or
    sendmail, you had better accept mail without CBVs since it may
    come from customers complaining they can't get mail.  Other
    addresses like webmaster(_at_)whatever probably do want the CBV
    protection.

  - Finally, it has always struck me as totally legitimate to send
    mail that people aren't supposed to reply to--but not that they
    can't bounce to.  I've gotten many messages from legitimate
    institutions, like banks and web sites, from non-repliable
    addresses.  Just today I got a release announcement from 822
    From: address noreply(_at_)freshmeat(_dot_)net--seems fine to me.

Just an address might be valid for 2821 MAIL FROM but not for 2822
body-header From, and vice versa--and folks wanting to use SES/BATV/VERP
type schemes find a use for that difference in what's valid where--I'm
wondering if what shows up as, say, a PRA (or Reply-To:) should always
be considered valid for a non-bounce RCPT TO:.

For instance, given a 2821 SUBMITTER, 2822 Reply-To:, 2822-ish/SenderID
PRA...should any of those things really in particular be assummed to
have to be valid arguments of a RCPT-TO: for non-bounce messages?  (And
are there good hard and fast rules you can use to figure out what REALLY
should pass non-bounce tests?)

I brought this up on the MARID mailing list as a potential problem
with Sender-ID.  The responses seemed pretty unanimous that the PRA
does *not* have to be a legitimate address and that this is fine.
"local(_at_)com" is a perfectly legitimate PRA, at least for Sender-ID.  Of
course, this is one thing that makes me like SPF more than Sender-ID.
I believe if you are sending mail, even if you don't want replies, you
should still accept bounces.  So SPF is ideally always authenticating
a real mailbox.

If SPF ever got very widely deployed (>>50% of sites with "~all" or
"-all" records), CBV + SPF + BATV would actually let you hold some
domain responsible for any piece of spam.  Assuming the bad guys
didn't guess your BATV address to send you a fake "Mail From:<>"
message, any spam would come from the spammer's domain, or from
someone who was negligent in not setting up a sufficiently restrictive
SPF record.  At least today, it's probably harder for spammers to
respond to CBVs than to send mail, because I would imagine a
reasonable fraction of nodes in botnets are behind NATs and firewalls.

David

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

<Prev in Thread] Current Thread [Next in Thread>