spf-discuss
[Top] [All Lists]

[spf-discuss] Re: Fixing Forwarding with RPF

2006-11-14 10:31:17
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

K.J. Petrie wrote:
On Monday 13 November 2006 22:53, Frank Ellermann wrote:
The problem is not your cheap ISP.  The real problem is your cheap
forwarder, ditch it.

and Alex van den Bogaerdt wrote:
Fixing problems at the wrong place will always result in new problems.

I couldn't put it better. These two quotes sum up my problem with the
current state of SPF. [...]

SPF is a voluntary standard, but in this area it is formulated in a way
which would only make sense for a compulsory standard. [...]
In such a voluntary standard, it simply makes no sense to place 
responsibility with anyone other than the one individual who chooses to
adopt it. Placing responsibility on third parties is just plain stupid.

True.  But you are missing the point that the forwarder is a chosen agent 
of the receiver, and the receiver HAS chosen to adopt SPF, or he wouldn't 
be rejecting mail that got an SPF "fail" in the first place.

You are right, the fault is not with the forwarder.  It is with the 
receiver, who chose an irresponsible forwarder.  And the problem needs to 
be fixed at the receiver, too, i.e. he needs to either (1) get his 
forwarder to rewrite envelope senders, or (2) accept the forwarder as part 
of his own e-mail network and thus exempt the forwarder from SPF checking 
(which should only be done at the outer border of your network, i.e. by 
the forwarder).

I am also unconvinced by the thesis that changing nothing is forgery.
Preserving the identity of the original sender is forgery? If SPF defines
it as such, why does it think the rest of the world would agree?

You don't have to agree.  But I'll tell you what's gonna happen for all of 
those who think that forwarders NOT rewriting the sender address to their 
(the forwarders') own domains when forwarding is acceptable.  Every 
spammer is going to claim he's a forwarder and that he's just forwarding 
spam that he received from YOU.  (This is essentially what spammers are 
doing now.)  And because they're "forwarders", they ought to be allowed to 
use your address as the sender, right?

My point being, there's no way for me to tell if someone who sends me a 
message with YOUR address as the sender address is a legitimate forwarder 
or just a random spammer -- EXCEPT if it was ME who ordered that someone 
to forward the stuff to me.

This has been discussed to death before.  It's all in the archives.  
However, I'm getting the impression that we could use a handfull of cute 
graphics on the SPF website explaining the forwarding issue and how it 
must be solved...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFWf0IwL7PKlBZWjsRAsRJAJ49y2X0RYzkAXnZ9YzDCCjT0Ve9PQCgtncU
W0Y+A+qGT7dHjbL+4Y4x5v4=
=6cia
-----END PGP SIGNATURE-----

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735

<Prev in Thread] Current Thread [Next in Thread>