spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [spf-discuss] Re: Election issue: forwarding problem

2007-02-05 15:49:03
from [Seth Goodman] [Permanent Link] 
Stuart D. Gathman wrote on Monday, February 05, 2007 1:24 PM -0500:


On Mon, 5 Feb 2007, Seth Goodman wrote:


Scott Kitterman wrote on Monday, February 05, 2007 1:04 AM -0500:


For an MSA that has implemented appropriate technical
restrictions, I agree that the prospective SPF check is largely
redundant.


It's important to state that.  This works best for small systems
with no outbound authentication who wish to limit their users
forging foreign domains that publish SPF records.


In pymilter, internal PCs attempting to send with foreign domains
are labeled "zombies".  Too many such forgeries, and that PC (IP) is
cut off from sending email.  User has to run malware cleaning software
and write "I will not download free screensavers" on the blackboard
100 times before I reenable their email.


This is very good for small numbers of users.  If you had sufficient
users, the folks who control the botnets could accomplish what they need
by forging other users' identities, or even by publishing legitimate SPF
records that designate your outbound hosts.  This will affect the
reputation of your IP's, even though you never gave the domain owners
permission to use them.  I know, that's no longer domain forgery and we
shouldn't talk about IP reputation on the SPF list.  Unfortunately, if
SPF encourages an MSA to accept messages it shouldn't, SPF gets the
blame, even though no one ever claimed it does anything but detect
certain domain forgeries.  We should be recommending that MSA's enforce
submission rights instead.  That stops outbound sender identity forgery
and protects the reputation of every domain you intentionally emit mail
for, and makes sure you emit mail for no others.

There are a lot of good excuses, along with some reasons, why this is
difficult for a large existing user base.  It's much harder to make that
argument for new customers.

--
Seth Goodman

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] RFC 4408 Bug - Makes no sense to require Mail From check if HELO check FAILs, Leonard Mills
Next by Date:  RE: [spf-discuss] Re: Election issue: forwarding problem, Stuart D. Gathman
Previous by Thread:  RE: [spf-discuss] Re: Election issue: forwarding problem, Stuart D. Gathman
Next by Thread:  RE: [spf-discuss] Re: Election issue: forwarding problem, Stuart D. Gathman
Indexes:  [Date] [Thread] [Top] [All Lists]