[Asrg] Re: Yet another attempt to fix forwarding

Douglas Otis dotis at mail-abuse.org
Wed Jan 30 16:43:49 EST 2008 

On Jan 30, 2008, at 12:41 PM, Frank Ellermann wrote:

> Douglas Otis wrote:
>
>> It seems rather ironic SPF's intended purpose was to direct  
>> culpability to the provider's customer (the email-address owner).
>
> The "owners" of a reverse path are the hops adding info to it, today  
> in essence limited to the envelope sender address as accepted by the  
> MSA.

Owners of an email-address are not owners of the additive hops (the  
provider's addresses in the case of SPF).  While SPF might be applied  
against the envelope sender address (the return-path), these records  
may also be applied against the Purported Responsible Addresses  
representing another attempt at identifying the provider's customer.   
The difference between the provider and the provider's customer is  
extremely important.  When access depends upon an identity's indirect  
declaration of their authorized providers by way of address, privacy  
protection is clearly reduced.

>> In addition, schemes directing culpability toward provider's  
>> customers are in conflict with the general protection of personal  
>> privacy.
>
> There is no such thing as "culpability" of senders in SPF.  If folks  
> want it they can arrange for a working envelope sender address based  
> on their Message-ID or using BATV, but that has nothing at all to do  
> with privacy.

When access depends upon an identity's declaration of authorized  
providers, the means for making this declaration resolves to the  
provider's customer, and not the provider.

>> Only the provider should be able to determine a message source, and  
>> therefore only the provider should be held responsible for  
>> controlling abuse.
>
> The provider is not responsible for forgeries by third parties. SPF  
> only allows to identify plausible (PASS) or forged (FAIL) envelope  
> sender addresses for domains publishing an SPF policy.

You just said that SPF does not hold senders culpable, and yet SPF  
senders are required to identify themselves by way of their  
declaration of authorized providers?  Why is the provider ignored?

There are perhaps a few hundred thousand major providers, and yet  
there are millions of individual's email domains in use.  SMTP client  
validation within a single transaction could eliminate far more abuse  
than SPF.  EHLO validation is yet another optional "feature" of SPF  
that _might_ be accomplished after a dozen or so DNS transactions.   
Unfortunately, SPF suffers from having too many "features" keeping  
this feature from being practical.  How convenient. : )

-Doug

More information about the Asrg mailing list