spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Tracking userids --was: SPF, DKIM, and NIH

2009-10-23 11:39:46
from [Alessandro Vesely] [Permanent Link] 
Ian Eiloart wrote:

I think it's reasonable to assume that a domain operator won't permit
one user to spoof another user's sender address. If that's untrue, then
the domain's users and managers will need to sort out any negative
consequences.


The point is how well it's possible to either corroborate or dispute such
an assumption based on statistical evidence. That assumption is not
reasonable in general, a policy statement and some other knowledge about
the domain are needed.
The assumption may not be true in general, but it would be better if it were. Domains should be encouraged to prevent such spoofing, and I think that the assumption is reasonable in the following sense:
Of course you have to take into account that spammers can (and do) create their own domains.
a) Where businesses, like ours, permit intra-domain spoofing, they should take care that it's not used to send unwanted mail; in order that one user cannot harm the reputation of another. For example, we know that our webmail service gets abused, so we apply rate limits, and don't permit spoofing by our webmail users. The rate limits reduce the harm done when an account is compromised, and the anti-spoofing policy ensures that any email address based reports or sanctions are applied to the correct account.
I think you also don't allow a user to have multiple email addresses, what wikipedia calls "sock puppetry". Aliases and role addresses may be allowed by a domain's policy. The right to send messages anonymously --pseudonymously, really-- must be respected, and advertising a user's login name in the header brings its own tranche of risks. Explicitly knowing a domain's policy eases the task of checking whether it is actually enforced.
b) Where email service providers like gmail can't establish a relationship between two domain users, they simply should not permit the spoofing. They may wish to establish an infrastructure whereby users can express trust relationships - their domain hosting service might be regarded as having that property.
You mean sites.google.com? I don't quite agree: A puppet master may accumulate several subscriptions, and register different sites with different identities. Anonymous subscriptions don't allow much trust to be established.
c) Generally: where intra-domain spoofing is permitted, it must be regarded as entirely at the risk of the domain and its users. If one user harms the reputation of another, that should be regarded as an internal affair, to be sorted out between the users and the domain owner. It's not the business of any third party to try to guess how the domain handles intra-domain spoofing. 



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Tracking userids --was: SPF, DKIM, and NIH, Alessandro Vesely
Next by Date:  [spf-discuss] SPF Mail Summary Report, spf-discuss
Previous by Thread:  Re: [spf-discuss] Tracking userids --was: SPF, DKIM, and NIH, Ian Eiloart
Next by Thread:  Re: [spf-discuss] Tracking userids --was: SPF, DKIM, and NIH, David MacQuigg
Indexes:  [Date] [Thread] [Top] [All Lists]