Re: [spf-discuss] Tracking userids --was: SPF, DKIM, and NIH
2009-10-19 09:46:47
--On 19 October 2009 14:06:37 +0200 Alessandro Vesely <vesely(_at_)tana(_dot_)it>
wrote:
Ian Eiloart wrote:
I'm not talking about what we do at Sussex[...]
Ooops, I misunderstood your words :-(
My careless phrase, I think :-)
I mean that you don't need a comprehensive worldwide individual identity
system in order to assign reputation to email sender addresses. What you
need to do is (a) verify the sender address domain with DKIM or SPF, and
(b) make reasonable assumptions about the operation of the domain.
Agreed.
I think it's reasonable to assume that a domain operator won't permit
one user to spoof another user's sender address. If that's untrue, then
the domain's users and managers will need to sort out any negative
consequences.
The point is how well it's possible to either corroborate or dispute such
an assumption based on statistical evidence. That assumption is not
reasonable in general, a policy statement and some other knowledge about
the domain are needed.
The assumption may not be true in general, but it would be better if it
were. Domains should be encouraged to prevent such spoofing, and I think
that the assumption is reasonable in the following sense:
a) Where businesses, like ours, permit intra-domain spoofing, they should
take care that it's not used to send unwanted mail; in order that one user
cannot harm the reputation of another. For example, we know that our
webmail service gets abused, so we apply rate limits, and don't permit
spoofing by our webmail users. The rate limits reduce the harm done when an
account is compromised, and the anti-spoofing policy ensures that any email
address based reports or sanctions are applied to the correct account.
b) Where email service providers like gmail can't establish a relationship
between two domain users, they simply should not permit the spoofing. They
may wish to establish an infrastructure whereby users can express trust
relationships - their domain hosting service might be regarded as having
that property.
c) Generally: where intra-domain spoofing is permitted, it must be regarded
as entirely at the risk of the domain and its users. If one user harms the
reputation of another, that should be regarded as an internal affair, to be
sorted out between the users and the domain owner. It's not the business of
any third party to try to guess how the domain handles intra-domain
spoofing.
--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/
[http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: [spf-discuss] SPF, DKIM, and NIH, (continued)
- Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
- Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
- Re: [spf-discuss] SPF, DKIM, and NIH, David MacQuigg
- Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
- Spear Phishing (was: [spf-discuss] SPF, DKIM, and NIH), Steven Dorst
- Re: Spear Phishing (was: [spf-discuss] SPF, DKIM, and NIH), Stuart D. Gathman
- RE: Spear Phishing (was: [spf-discuss] SPF, DKIM, and NIH), Steven Dorst
- [spf-discuss] Tracking userids --was: SPF, DKIM, and NIH, Alessandro Vesely
- Re: [spf-discuss] Tracking userids --was: SPF, DKIM, and NIH, Ian Eiloart
- Re: [spf-discuss] Tracking userids --was: SPF, DKIM, and NIH, Alessandro Vesely
- Re: [spf-discuss] Tracking userids --was: SPF, DKIM, and NIH,
Ian Eiloart <=
- Re: [spf-discuss] Tracking userids --was: SPF, DKIM, and NIH, Alessandro Vesely
- Re: [spf-discuss] Tracking userids --was: SPF, DKIM, and NIH, David MacQuigg
- Re: [spf-discuss] Tracking userids --was: SPF, DKIM, and NIH, Alessandro Vesely
- Re: [spf-discuss] SPF, DKIM, and NIH, Stuart D. Gathman
- Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
- Re: [spf-discuss] SPF, DKIM, and NIH, Stuart D. Gathman
- Re: [spf-discuss] SPF, DKIM, and NIH, Alessandro Vesely
Re: [spf-discuss] SPF, DKIM, and NIH, Scott Kitterman
|
Previous by Date: |
Re: [spf-discuss] Tracking userids --was: SPF, DKIM, and NIH, Alessandro Vesely |
Next by Date: |
Re: [spf-discuss] Tracking userids --was: SPF, DKIM, and NIH, David MacQuigg |
Previous by Thread: |
Re: [spf-discuss] Tracking userids --was: SPF, DKIM, and NIH, Alessandro Vesely |
Next by Thread: |
Re: [spf-discuss] Tracking userids --was: SPF, DKIM, and NIH, Alessandro Vesely |
Indexes: |
[Date]
[Thread]
[Top]
[All Lists] |
|
|