spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Re: Revising SOFTFAIL

2008-01-05 11:34:03

On Sat, 2008-01-05 at 18:12 +0000, Julian Mehnle wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Woodhouse wrote:
On Sat, 2008-01-05 at 09:47 -0700, Edmig wrote:
But it does have to correlate with the IP address used by the sending
host. Which  raises the question again -  why not just use the  HELO
name to authenticate an incoming IP address?

No reason. See http://mipassoc.org/csv/

Works just as well as SPF, giving you an authenticated label which you
can use in your reputation database. [...]

Except that it doesn't differentiate between multiple domains served by a 
common mail server.

It doesn't need to. SPF just gives you a handle -- the domain name --
which you can look up in your reputation database to see if it's a
spammer or not. With CSV that handle is the HELO name; why would you
need multiple handles for the same sending host?

Although actually if the sender _really_ wants to, they _can_ give a
different HELO name according to the mail they're sending. It's a bit
pointless, but some people seem to do it anyway. And there's nothing in
CSV which prevents that from working.

And of course it doesn't even try to stop the MAIL FROM forgery.

It doesn't need to. It stops HELO forgery, because it's HELO that it
uses.

MAIL FROM forgery is simple enough to fix anyway, with schemes such as
BATV and SES which can be implemented unilaterally, without requiring
the world to change.

-- 
dwmw2

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: 
http://v2.listbox.com/member/?member_id=2183229&id_secret=82191766-3fe512
Powered by Listbox: http://www.listbox.com

<Prev in Thread] Current Thread [Next in Thread>