spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Tracking userids --was: SPF, DKIM, and NIH

2009-10-19 09:46:47


--On 19 October 2009 14:06:37 +0200 Alessandro Vesely <vesely(_at_)tana(_dot_)it> wrote:

Ian Eiloart wrote:
I'm not talking about what we do at Sussex[...]

Ooops, I misunderstood your words :-(

My careless phrase, I think :-)

I mean that you don't need a comprehensive worldwide individual identity
system in order to assign reputation to email sender addresses. What you
need to do is (a) verify the sender address domain with DKIM or SPF, and
(b) make reasonable assumptions about the operation of the domain.

Agreed.

I think it's reasonable to assume that a domain operator won't permit
one user to spoof another user's sender address. If that's untrue, then
the domain's users and managers will need to sort out any negative
consequences.

The point is how well it's possible to either corroborate or dispute such
an assumption based on statistical evidence. That assumption is not
reasonable in general, a policy statement and some other knowledge about
the domain are needed.

The assumption may not be true in general, but it would be better if it were. Domains should be encouraged to prevent such spoofing, and I think that the assumption is reasonable in the following sense:

a) Where businesses, like ours, permit intra-domain spoofing, they should take care that it's not used to send unwanted mail; in order that one user cannot harm the reputation of another. For example, we know that our webmail service gets abused, so we apply rate limits, and don't permit spoofing by our webmail users. The rate limits reduce the harm done when an account is compromised, and the anti-spoofing policy ensures that any email address based reports or sanctions are applied to the correct account.

b) Where email service providers like gmail can't establish a relationship between two domain users, they simply should not permit the spoofing. They may wish to establish an infrastructure whereby users can express trust relationships - their domain hosting service might be regarded as having that property.

c) Generally: where intra-domain spoofing is permitted, it must be regarded as entirely at the risk of the domain and its users. If one user harms the reputation of another, that should be regarded as an internal affair, to be sorted out between the users and the domain owner. It's not the business of any third party to try to guess how the domain handles intra-domain spoofing.


--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com