spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Re: Revising FAIL

2008-01-08 07:06:07
Alessandro Vesely wrote:
Frank Ellermann wrote:
Alessandro Vesely wrote:
 
| A "Fail" result is an explicit statement that the client is not
| authorized to use the domain in the given identity.  The checking
| software MUST reject the mail outright.

No, the checking software might be not in the position where it
still can reject the mail.  It's at best a SHOULD in a not yet
existing "receiver policy" RFC.

A "SHOULD" is weaker, but it can handle a transition period nicely.

I think that SHOULD is perfect. SPF defines what FAIL means, what the
receiver chooses to do with unauthorized source e-mail once they've
identified it as such can be flexible. I can honestly think of several
things to actually do with known forged e-mails, mostly revolving around
getting to the root of any criminal activities that might be associated
with hiding behind deliberate forgeries or fixing technical issues that
would cause apparent forgeries.

For SPF it's actually a feature
that spammers cannot simply probe who rejects FAIL,

Why would that be an advantage?

there might be also receivers moving FAIL silently into a trash folder.

Hmm... If the client (relay host) is a spammer, rejection is
appropriate and saves bandwidth. If it is an innocent forwarder,
a bounce may be useful for diagnostic purposes.

Absolutely. Most receivers SHOULD reject.

As long as spammers must fear that SPF FAIL never makes it they
can't abuse FAIL protected addresses anywhere.  With your proposal
they could abuse SPF FAIL protected addresses at all receivers
not rejecting FAIL outright.

I assume that by "never makes it" you mean "is never delivered".
Still, I have some difficulty understanding what you mean. Do you
mean that if rejecting were the mandatory behavior, spammers could
easily argue that not rejected messages will be delivered?

At any rate, I've seen spammers getting more cautious over time.
While they used to play like crazy, mixing FROM and MAIL FROM
addresses with no apparent reason, today's spam quite often shows
the same address in both headers, effectively masquerading as a
human2human message. I guess it is just easier for spammers to
play correctly.

I've noticed this too. The Internet is a highly selective environment
for spam sources. It's adapt or die, essentially.

There are no false positives, since the domain owner is the direct
origin of such "explicit statement".

Right, but the domain owner isn't always the same as the domain
user,

They have to trust each other, anyway.

To some extent. There are an awful lot of naive users out there who will
break all the rules if they aren't enforced like gravity. Admins, also.

and the receiver mailbox can be a user forwarding his mail
to an address at a third party checking SPF.  Arguably that is a
kind of "false positive", and in that case I really hope that a
FAIL is rejected, and doesn't vanish silently in a trash folder.

Agreed. And the RFCs never mention silently dropping messages,
AFAIK.

Black holes for e-mail messages are generally in conflict with the
concept of reliable delivery that is explicit in a lot of the SMTP
specs. Unfortunately, they are more common than ever since that is all
that many receivers (admins and end-users alike) have the time to deal with.

-- 
Daniel Taylor          VP Operations            Vocal Laboratories, Inc.
dtaylor(_at_)vocalabs(_dot_)com   http://www.vocalabs.com/        
(952)941-6580x203

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: 
http://v2.listbox.com/member/?member_id=2183229&id_secret=83063324-5ff4a3
Powered by Listbox: http://www.listbox.com

Attachment: signature.asc
Description: OpenPGP digital signature

<Prev in Thread] Current Thread [Next in Thread>