At 08:20 PM 12/4/2006 -0500, Stuart D. Gathman wrote:
On Mon, 4 Dec 2006, Meng Weng Wong wrote:
> On Dec 4, 2006, at 2:59 PM, Stuart D. Gathman wrote:
>
> > My system depends on extensive whitelists and blacklists. I can't
> > use the domain whitelist for a *message* without SPF PASS (because
> > the message might be forged), and I can't blacklist a *domain*
> > without SPF PASS (because the message might be forged and not
> > actually from that domain).
>
> That's technically true, but when do legitimate senders forge
> blacklisted domains?
The problem is that a spam from example.com with SPF neutral does not
let me blacklist example.com with confidence. Example.com might be
a joe job victim that has yet to publish an SPF record. You could argue
that I should "blacklist 'em anyway - that'll teach 'em not to publish SPF",
but my clients need to communicate with backward primitives who don't
publish SPF records - or have stupid policies.
The problem as I see it is that SPF is not applicable in situations where
the Return Address is legitimately unrelated to the Transmitter's IP
Address, and senders must use the Return Address because their stupid email
programs don't make a distinction between the Reply Address and the Return
Address.
Here are two of my domains:
open-mail.org. 86400 IN TXT "v=spf1 +a
include:controlledmail.com -all"
box67.com. 1800 IN TXT "v=spf1
include:open-mail.org ?all"
Open-mail.org sends very little mail from its own transmitter. Everything
else goes through a service we trust will not allow forgery of our
name. No problem.
Box67.com is a recipient's forwarding service. It sends no mail at
all. Our clients have public addresses like tdonovan(_at_)box67(_dot_)com, (Go for
it, you spam harvesters!!) Whatever mail comes to that address is
authenticated, rated, tagged and forwarded to the recipient's private
address at their *existing* email service. The public address must appear
in either the Reply-To: header, or the envelope Return Address. Email
programs like Eudora do not allow setting a Reply-To: address.
As I understand it, the Reply-To address was introduced only recently, and
that is why everyone uses the Return Address for this function. Also, the
relationship between the Reply-To Address and the Return Address is not
well defined. We could insist that our clients use the Reply-To address,
and leave their Return Address as is, but I fear it will be a long time
before we see this flexibility universally available in all email programs.
I would be interested to know what other email programs allow setting
separate Reply-To and Return Addresses.
-- Dave
************************************************************ *
* David MacQuigg, PhD email: macquigg at open-mail.org * *
* President, Open-Mail dot org phone: USA 520-721-4583 * * *
* Postmaster, Box67 dot com * * *
* 9320 East Mikelyn Lane * * *
* http://purl.net/macquigg Tucson, Arizona 85710 *
************************************************************ *
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735