[77773] in North American Network Operators' Group
Re: Time to check the rate limits on your mail servers
daemon@ATHENA.MIT.EDU (Douglas Otis)
Fri Feb 4 17:11:34 2005
From: Douglas Otis <dotis@mail-abuse.org>
To: Todd Vierling <tv@duh.org>
Cc: nanog@merit.edu
In-Reply-To: <Pine.NEB.4.61.0502040951350.25725@server.duh.org>
Date: Fri, 04 Feb 2005 14:10:52 -0800
Errors-To: owner-nanog-outgoing@merit.edu
On Fri, 2005-02-04 at 09:53 -0500, Todd Vierling wrote:
> On Thu, 3 Feb 2005, Edward B. Dreger wrote:
>
> > JJ> auth is sufficient to make email traceable to your own customers.
> >
> > End users also would appreciate the ability to _know_ a message is not
> > forged.
>
> The only way to be sure is via cryptographic signature. Barring that level
> of immediate traceability, SPF provides a very useful data point to that
> end (as its *only* purpose is curbing forgery).
Attempting to detect spam trickled through thousands of compromised
systems sent through the ISP's mail servers, SPF does nothing, and could
actually damage the reputation of those domains that authorize the
provider for their mailbox domain using SPF. These records can be read
by the spammers and then exploited. Repairing this reputation could be
next to impossible.
With respect to forgery, authorization is not authentication. There is
no consensus which mailbox-domain is checked, SPF (MAILFROM or HELO),
Classic (MAILFROM or Other and HELO), or Sender-ID (PRA), so it is
uncertain which mailbox-domain may have been checked for authorization,
if any. False assurances could be worse than no assurances.
White-listing for forwarded accounts or mailing lists to allow an SPF
rule-set bypass means there is no certainty a check was ever made.
-Doug
