David Mazieres (no direct replies) wrote:
I brought this up on the MARID mailing list as a potential
problem with Sender-ID. The responses seemed pretty
unanimous that the PRA does *not* have to be a legitimate
address and that this is fine. "local(_at_)com" is a perfectly
legitimate PRA, at least for Sender-ID.
Oops, that's odd. Ignoring cases where the PRA is the From,
or Resent-From, and to simplify it also ignoring the strange
Resent-Sender (its stangeness is of course no fault of PRA),
what's left is PRA = Sender.
Several RfCs make it clear that receivers should _not_ send
replies to the Sender (unless it happens to be included in
in Reply-To or From), and that auto-replies (incl. bounces)
should go to the Return-Path.
So you're not supposed to use the Sender, unless it's either
the Return-Path, or in the Reply-To, or without Reply-To in
the From. So far we agree...
...BUT that's not the same as saying that the Sender can be
an address that doesn't exist at all. It's just something
that you shouldn't use normally, even not for errors. But
where do you get that it might be completely unusable ?
The typical Sender example is Dave's "secy(_at_)example(_dot_)com".
It's okay if secy@ sends something from author boss(_at_)(_dot_) The
cute secy@ could have a script to handle error messages:
MAIL FROM:<secy-script@>, From: boss@, Sender: secy@
All perfectly normal, and adding Reply-To: sales@ doesn't
change the situation wrt Sender: secy@, that's the PRA in
this example.
But why do you think that secy@ can be invalid ? I vaguely
recall Dave's old RFC (pre-822) with the secy@ example, and
IIRC it clearly said that the Sender is supposed to be a
human (!) responsible for the sending of this mail.
That's a reason why Sender: secy-script@ would be dubious,
secy-script@ is no human, but still okay for the MAIL FROM.
Of course, this is one thing that makes me like SPF more
than Sender-ID. I believe if you are sending mail, even
if you don't want replies, you should still accept bounces.
So SPF is ideally always authenticating a real mailbox.
Indeed. Even if it's an SPF PASS from an unknown spammer
auto-replies incl. bounces won't hit innocent bystanders.
With a PRA PASS from an unknown spammer there's nothing you
can do with it, a PRA PASS without white list is completely
useless. And it's simple to play games with Resent-Sender
to get a PRA PASS "from" say PayPal. Until most MUAs are
updated to support PRA. Damned crazy FUSSP :-( Bye, Frank
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com