[Asrg] mail security

John Leslie john at jlc.net
Fri Jan 23 06:13:19 PST 2009 

Ian Eiloart <iane at sussex.ac.uk> wrote:
> --On 21 January 2009 12:27:56 -0500 John Leslie <john at jlc.net> wrote:
> 
>> However, there are a limited number of ways that forwarding might be
>> shown in the trace headers, so it should be practical to determine that
>> a forwarding is documented (though possibly forged).
>>
>> We then have a quite different situation from what raw SPF processing
>> would indicate. Thus I claim the rules deserve to be relaxed (without
>> going into detail how).

   The point I was attempting to make is that SPF records _can_ accurately
reflect sender policy, while SPF processing will incorrectly indicate a
violation of it.

   As things stand in SPF, folks end up publishing less-correct records
in an attempt to tune to a more satisfactory result.

>> Forging headers to indicate forwarding which didn't happen indicates
>> evil intent, and should be practical to block-list like other spamming
>> IPs. Well-known forwarders could be whitelisted, enabling us to trust
>> their pre-forwarding headers. Et cetera...
> 
> Blech. Why not just let them rewrite the sender address.

   You, of course, are welcome to do whatever you want with SPF records;
I happen to dislike punishing MTAs for following the SMTP specs.

   But please understand that strict SPF processing hasn't yet stopped
forwarding MTAs from documenting the forwarding according to spec
rather than rewriting addresses the way you want them to. Do you really
believe this will change?

> People just should not be encouraged to send email with return-paths
> in domains that don't belong to them. It simply postpones the day when
> we can hold senders accountable for their traffic.

   Unfortunately, that is what the SMTP RFCs call for: if you don't
like it, you should be seeking consensus to change them.

   Furthermore, you seem to be confusing "people who send email" with
MTAs which process it. The return-path is intended to be the "best"
address for notifications. As things currently stand, MTAs are in no
position to second-guess whether some other address would be "better".

--
John Leslie <john at jlc.net>

More information about the Asrg mailing list