On Fri, 26 Jan 2007, Michael Deutschmann wrote:
So far I've seen two responses, one from Kitterman that was
sortof-positive, and one from Ellerman that was sortof-negative.
My comments on SRS are on the FAQ:
http://www.openspf.org/Best_Practices/Forwarding
However, I have 4 systems running the pygossip reputation system now,
and I'm seeing another side of forwarding.
Reputation systems assign blame for spam. Without SPF, blame is assigned
by IP, like AOL does. With SPF, blame is assigned by domain for
SPF pass. [*] Forwarding without SRS is essentially "without SPF".
Either way, forwarding puts your (the forwarders) reputation at risk.
If the receiver does not whitelist you, any spam you forward to them
counts against your reputation. As reputation systems become more
prevalent, forwarders will need to demand whitelisting from recipients.
This is already happening with AOL. Google for AOL forwarding, and
you'll see that mailing list managers (a similar reputation problem
to forwarding) find themselves either:
a) banning aol.com recipients from the mailing list
b) using VERP to immediately unsubscribe any recipient reporting
a list message as spam.
Failure to take either of the above steps allows any clueless or malicious
AOL user (ok, likely the former) to DOS every mailing list hosted on that
IP for all AOL users.
The bottom line is that email reputation makes forwarding email something
like cosigning a loan. Your email reputation is at the mercy of the
recipient as long as the forward is active. In light of this, it is
in the best interest of forwarders to:
a) demand whitelisting from recipients
b) put technical measures in place to monitor demerits against your IP/domain
c) put technical measures in place to trace which recipient is responsible for
any spam reports against your domain, and disable their forwarding to
protect service for your other recipients/customers.
The choice of SRS for forwards is essentially a choice of whether they
want to risk their domain reputation (SRS) or their IP reputation (no SRS)
for forwarded mail. It makes sense, actually, to risk only IP reputation
(no SRS) for forwarding so as to be able to assign a new IP from a block
in case of abuse by a recipient that results in DOS.
The other unexpected (to me) issue to come out of this is that reputation
systems need to hold recipients accountable. Any system that blocks
email based on recipient reports of "spam" needs some way to hold
said recipient accountable - otherwise one clueless or evil user can
DOS an entire community (hi AOL).
[*] For other SPF results (besides fail), blame could be assigned by
IP, by domain, or by a combination. I've experimented with the
following (format is reputationid:qualifier):
example.com:neutral
1.2.3.4:IP
example.com:1.2.3.4
The last, assign reputation to the combination of domain and IP, is
the most "fair". But it gives too much advantage to spammers. The
next step is accruing reputation to IP like AOL. This is better, but
thanks to botnets, you have to be AOL to actually get around to blacklisting
any IPs. Each bot sends you only about 5 spams before moving on.
For small fry like myself, example.com:neutral or example.com:softfail
starts blacklisting much faster. Any upgrade in SPF policy resets
a domains reputation (for potentially legit mail).
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735