-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Not wanting to spur a flame war here, but I'd like to set one thing clear:
dan1 wrote:
Alex van den Bogaerdt wrote:
And I was not saying you weren't "a good guy". I just expressed my
feeling about a fundamental way of thinking related to SPF:
Sender address forgery should be banned.
This is interesting, because the SPF technical web page with the best
practices suggests to do exactly the way I did, so I am surprised that
you say it is fundamental to SPF that the sender address forgery is
banned. Please read again this page which encourages to do so, yet by
specifying exactly what server DID the forgery, so that we can return to
them in case of address errors or problems:
http://www.openspf.org/Best_Practices/Webgenerated
This page in no way encourages sender address forgery. Please learn about
the meaning of the "From", "Sender", and "Reply-To" headers. It then
should become clear that what said page recommends does not constitute
sender address forgery.
And here's another thing: you might not be fully aware of the dangers to
your (certainly well intentioned) service (and it applies to thousands of
similar services, too!):
Reporting the service bounces to spamcop does certainly push them to
mark my server as a spammer box. Maybe it was not your intent to say
this, but it can really be interpreted like 'I wish your server is
placed as a spam server'.
And again, I think you would be right if you could automate this
bombing, yet you could only do several bounces and would be limited, and
this makes the whole difference.
Today, spam and viruses aren't sent by a few single boxes. Today, entire
networks of hijacked computers are used to do that. Those networks can
comprise hundreds of thousands of "zombie" or "bot" computers (and thus IP
addresses), each sending just a few messages. Such a bot net could easily
be instructed to abuse your service to bomb a victim address with billions
of bounces. (But then, they could just as well bomb the victim directly,
unless of course it is _you_ and your service who the attacker wants to
strike.)
I'm not telling you what to do beyond making your service SPF compliant --
I merely want to raise your awareness for scale of the potential dangers
out there.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGN0pnwL7PKlBZWjsRAvk2AKDPRTvGAwioNbkLe5flxVUkAydHngCfb9C0
FOIYLqL8dlFgQxZaNhqFd10=
=c/yo
-----END PGP SIGNATURE-----
-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com