On Sat, 7 Apr 2007, Frank Ellermann wrote:
Yes, and that's where I'm *V*E*R*Y* *I*N*T*E*R*E*S*T*E*D* With SRS it
is clear that forwarders take the responsibility for mails forwarded
by them as they should under RFC 821 rules (and explicitly did by
adding their identity to the reverse path in the pre-1123 world).
Ah, you're calling it a feature that SRS forces forwarding providers to
stake their IP reputation on the identification of a message as
non-forged. But SRS also forces them to either "sign off on" or refuse to
accept SPF-neutral, SPF-none, and SPF-softfail mails. This just isn't
reasonable today.
Entities that punish backscatter, such as UCEPROTECT, generally believe
that backscatter should be prevented by abolishing DSNs entirely, not by
sender validation. So for them "I couldn't get a clear SPF answer" is not
an excuse for backscatter. And for an SRS forwarder, abolishing DSNs
entirely just isn't possible. Even if they go to the *extreme* of
conducting incoming and outgoing SMTP transactions simultaneously, they
can still get saddled with a "MAIL FROM: <> / RCPT TO:
<SRS0=blahblah(_at_)blah>" hours later from the next hop.
How does TENBOX guarantee that the alleged original sender in fact is
the original sender ?
It doesn't. But TENBOX/E mail will very rarely be bounced, if at all.
If the final recipient trusts the forwarder's TENBOX token enough to stand
down SPF, it would be silly not to also stand down their content filters
(SpamAssassin, ClamAV, DCC, etc.). And content filters are the leading
cause of forwarder bounces.
Note that if you created a "FrankBL" that, say, listed an IP for several
months after a single instance of backscatter to an SPF-protected address,
you'd still be able to have some indirect pressure on a TENBOX forwarder.
Big ISPs who want to stay off the FrankBL would maintain their own
blacklist of forwarders who ignore SPF and simply refuse to allow their
customers to extend TENBOX/E trust to those forwarders. Come to think of
it, FrankBL could maintain such a list itself as an RHSBL.
And AFAIK I'm the _only_ user on the spamcop list who thinks that an
SPF FAIL is required, the others report all bogus bounces right away,
no questions asked.
They probably think the answer is to abolish bounces entirely. Then the
SPF status of a given mail is irrelevant.
---- Michael Deutschmann <michael(_at_)talamasca(_dot_)ocis(_dot_)net>
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735