On Sat, 2008-01-05 at 21:04 +0000, Julian Mehnle wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David Woodhouse wrote:
On Sat, 2008-01-05 at 19:02 +0000, Julian Mehnle wrote:
David Woodhouse wrote:
MAIL FROM forgery is simple enough to fix anyway, with schemes such
as BATV and SES which can be implemented unilaterally, without
requiring the world to change.
BATV and SES don't prevent MAIL FROM forgery. They merely help
_senders_ sort out invalid bounces. They don't do anything for the
_receivers_.
Not so.
[... SMTP transaction transcript with callback verification demon-
strating the rejection of an unsigned MAIL FROM address ...]
You said it could be implemented unilaterally, but then you assume that
receivers do callback verification.
It _can_ be implemented unilaterally, and it immediately stops you from
receiving bounces to messages you didn't send -- in a way that SPF
doesn't, because there aren't enough people rejecting for SPF failure.
Obviously, for the recipient to _also_ benefit, they'd need to do
_something_ for themselves, and callouts have been a common way of
validating addresses for many years. Sourceforge (and many others)
stopped receiving fake MAIL FROM:<dwmw2(_at_)infradead(_dot_)org> without
knowing a
thing about BATV. And it certainly didn't require changes to
long-standing behaviour from uninterested third parties, as SPF does.
I wouldn't _assume_ that the majority of recipients do _any_ form of
sane spam filtering. Too many of them don't, and too many recipients are
actually stupid enough to _act_ on the spam they receive. If we could
just take all those stupid people out back and shoot them, spam wouldn't
be profitable any more and we could ditch the technical measures
altogether :)
why would you need multiple handles for the same sending host?
Because of many domains sending through a common host, some domains
may be sending mostly spam whereas other may be sending mostly
non-spam. Your answer to that is probably: "Why accept mail from a
spammy host, even if some mail is good?
You've already ignored my answer to that, conveniently. And that wasn't
it.
I am sorry, I must have overlooked it. Can you please repeat it? I
promise not to ignore it a second time.
It's the paragraph after "why would you need multiple handles for the
same sending host?". The one which starts "Although actually..." and
ends "...there's nothing in CSV which prevents that from working."
--
dwmw2
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription:
http://v2.listbox.com/member/?member_id=2183229&id_secret=82224311-dcd78e
Powered by Listbox: http://www.listbox.com