spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Senderside forwarder-problem mitigation

2009-07-05 07:55:36
On Sun, 5 Jul 2009, Alessandro Vesely wrote:
Michael Deutschmann wrote:
With [fm=] options, senders would then be free to use "-all" in all
cases where it is appropriate by the original intention of the standard.

The original intention of the standard is to compute whether a
server is authorized to use the domain name in the sender's address.
during SMTP transactions. Since forwarding is part of that, it is
included in that intention. IOW: I think it's very difficult to
specify when a message is being "forwarded"; therefore it is
difficult to tell the difference between "fm=soft -all", and, say,
"fm=hard ~all".

"fm=soft -all" = vanity domain where the owner is completely confident that
all legitimate outgoing mail will actually pass through the listed servers.
But he can't be sure that no mailbox he attempts to send to will relay the
message elsewhere, so he cautions ISPs that a legitimate message might be
further relayed after it leaves the authorized server.

"fm=hard ~all" = not a useful configuration.  The advantage of "fm=hard" for
the sender is improved backscatter reduction, which is defeated by lack of
-all.

The two are similar in receiverside behavior when the receiver has poor
knowledge of incoming forwards -- although I would consider "fm=soft -all"
in this case to be more similar to "fm=hard ?all".

But the difference is that when incoming forwards are known, "fm=soft
-all" becomes instead equivalent to "fm=hard -all", while "fm=hard ~all"
doesn't change.  Except, of course, that SPF is ignored when the forwarder
whitelist matches.

A receiver that believes it has whitelisted all forwarders [...]

For the same reasons as above, such belief is necessarily heuristic.
It's heuristic at most ISPs, which don't communicate with their users about
such things.

But an ISP with a per-mailbox anti-spam control panel can obtain accurate
information for the subset of mailboxes owned by users capable of using
it.  Vanity domains are often similar.

The main point of the proposal is that this elite set of users is being
robbed of chances to definitively deny certain forged e-mails, under the
status quo.

---- Michael Deutschmann <michael(_at_)talamasca(_dot_)ocis(_dot_)net>


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com