On Tue, Sep 19, 2006 at 08:33:42PM +0000, Julian Mehnle wrote:
This is the same attitude as when people saying "the message was SPF
authorized but it is still spam". Wrong conclusions drawn because of
wrong anticipations.
SPF isn't about spam, it's about envelope sender forgery. If "Pass"
doesn't mean "the envelope sender is not forged in all conscience" and
"Neutral" doesn't mean "the envelope sender may or may not be forged, but
don't treat the message differently from a non-SPF-protected one" -- i.e.
if "authorized" doesn't exactly mean "not forged" -- then what's the
point?
SPF is about authorization. You are talking about authentication.
Authorization and authentication are two different things. Related: yes,
the same: no. Mix 'em up and you'll make it difficult to understand.
I think the RFC is pretty clear on what SPF is and does. Why suddenly
change the semantics? I thought we had passed that stage already.
With SPF you make a statement about a host, not about messages relayed
through that host. It says so right at the beginning of the RFC.
SPF authorizes servers, not authenticates messages. Cross user forgery
has to be solved by the ISP, not by the SPF publisher. You may have
written the paragraph but several other people have looked at it,
commented on it (or not) and thus approved it. If you ment something
different than what it currently says, that's something for 4408bis.
SPF allows a receiver to quickly sift forgeries from other mail. It
does so by looking at the authorization status of a host. The remaining
messages (after throwing away obvious forgeries) still needs to be
examined further. Cross user forgery is such a case. It's just that
you only have to examine 10% (or so) of the original amount of mail.
That 10% could then be processed, for instance with DKIM, SES, or any
other protocol demanding serious processing power. That's the point.
If you don't trust an ISP, publish `neutral'. But maybe you should
leave the ISP and find something you do trust. Most people do trust
their provider. That doesn't mean problems never occur. But it does
mean problems are expected to be solved, and will occur less frequent
than elsewhere on the net.
100% certainty is impossible to reach. For nearly 100%, `pass' will do.
Don't forget that cross user forgery is more difficult to do, and at
a higher risc of detection, than any other form of forgery. It takes
more planning and research, thus is less cost effective for your
average spammer. Goal reached.
"include:my_isp" is quite different from "all". If you want people to
publish "?include:my_isp" then there's no serious reason to allow "?all"
anymore. If that would be the case, then:
a) the default would be "-all", not "?all"
and
b) "all" by itself would be redundant and thus should go.
If you want authentication, the minimum is some form of encryption,
like SES. Do not mistake SPF for something providing authentication.
Alex
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com