spf-discuss
[Top] [All Lists]

[spf-discuss] Re: [srs-discuss] Re: SRS: is there a stable implementation for postfix yet?

2006-03-27 16:00:46
On Mon, 2006-03-27 at 21:19 +0000, Julian Mehnle wrote:
Are you saying that (1) CSV does things that SPF can't do, or (2) CSV 
without SRS isn't a proper solution to anything either, or (3)
misdirected bounces are not a problem that requires a solution? 

No, CSV doesn't do anything that SPF can't do -- except perhaps for
being compatible with email in the real world. But it doesn't solve any
problems that SPF doesn't; only the one that SPF tries to pretend
doesn't really exist.

And no, neither CSV nor SPF are total solutions to the spam problem,
because each needs to be coupled with some kind of reputation database
for that. CSV and SPF only really offer you a way to authenticate the
entity responsible for sending you the mail -- spammers can get
favourable SPF and CSV results too; that's why you need the database.

I was pointing out that, when all is said and done, SPF and CSV are
fairly much equivalent in what they achieve. It doesn't matter that, as
Stuart points out, they are different namespaces. That doesn't really
affect the _outcome_. You have an authenticated identity to look up in
your reputation database; that's it.

The point is that the host which is _actually_ sending you the mail can
quite happily munge the reverse-path to make it pass SPF -- that's what
SRS is about. But it doesn't have to be SRS -- anyone can do the same
trick just to make it pass SPF, even if they're just generating spam.

Given that any host can rewrite the reverse-path, all you can _really_
do is check how much you trust the individual host (or domain) which
takes responsibility for the mail which you're being offered. SPF is
only a hop-by-hop solution, and doesn't offer end-to-end authentication
_except_ obviously in the case where the transit _is_ only one hop.

So all that SPF really offers you is a way to authenticate the
individual host or domain which is sending you the mail. That's why I
say they're effectively equivalent -- that's all that CSV tries to do,
only CSV is doing it without trying to change the world.

And in answer to your third question -- of _course_ misdirected bounces
are a problem, and you know my solution. I don't see the relevance of
the question in this context though, since SPF and CSV don't even
attempt to address it. They will prevent bounce-spam in a tiny minority
of cases -- but that much would be achieved by _any_ mechanism which
would cause the mail to be rejected up-front instead of being accepted
and then bounced. SpamAssassin probably does more to prevent bounce-spam
than SPF and CSV do.

-- 
dwmw2

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

<Prev in Thread] Current Thread [Next in Thread>