Mailing List Archive: SPF: Discuss

reviewing alternative proposals

Index | Next | Previous | View Threaded

mengwong at dumbo

Oct 11, 2003, 7:43 PM

Post #1 of 3 (177 views)
Permalink

reviewing alternative proposals

I've been doing some research as part of the Designated-Sender-Scheme
unification project.

http://www.irtf.org/asrg/asrg_documents.htm collects a lot of useful
background in one place; if you're new to the list, you should review
it. Here are some tasty bits.

--

A PDF reviewing the pros and cons of various approaches may be found at:
http://www.elan.net/~william/asrg-emailpathverification-presentation.pdf

It describes the MAIL FROM cookie and the Message-ID ideas.

--

http://www.ietf.org/rfc/rfc2505.txt

However, the MTA MAY throttle down the TCP connection ("read()"
frequency) if there are more than one "RCPT To:" and that way slow
down spammers using "MAIL From: <>".

SPF addresses forgery of the null sender address "<>" by reverting to
the HELO domain.

But there's another property of "<>": error messages should only ever go
to one account. Spammers always want to send to more than one account.
If a "<>" sender tries to mail to more than one recipient, we know
something's fishy. This is neither here nor there, just a useful
observation.

--

Tomorrow I present the new version of SPF at Foo Camp.

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡

wayne at midwestcs

Oct 12, 2003, 6:47 PM

Post #2 of 3 (171 views)
Permalink

Re: reviewing alternative proposals: RMX v3 [In reply to]

In <20031012024345.34B131D7 [at] dumbo> mengwong [at] dumbo (Meng Weng Wong) writes:

> I've been doing some research as part of the Designated-Sender-Scheme
> unification project.

I just learned that version 3 of the RMX proposal has been released.
See:

http://www.danisch.de/work/security/antispam.html

The last version of RMX that I had looked at appears to have been v1,
and it appears that Hadmut Danisch has made many significant changes
since then. In particular, RMX-v3 adds a DNSWL type system, much like
the SPF and DMP systems. Still missing is any sort of sender rewrite
system to handle bounces and deal with forwarding.

As I understand it, there is activity going on to merge the various
designated sender systems, so it looks like progress is being made.

-wayne

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡

wayne at midwestcs

Oct 12, 2003, 6:52 PM

Post #3 of 3 (171 views)
Permalink

Re: reviewing alternative proposals [In reply to]

In <20031012024345.34B131D7 [at] dumbo> mengwong [at] dumbo (Meng Weng Wong) writes:

>
> A PDF reviewing the pros and cons of various approaches may be found at:
> http://www.elan.net/~william/asrg-emailpathverification-presentation.pdf

I last read this PDF when it was first posted to the ASRG mailing
list. While it contains some useful information, I found holes in the
presented arguments that were so large that I didn't even consider
responding to it. In particular, things like SPF/RMX are dismissed
due to the Traveling Mailman Problem (addressed in the SPF FAQ) and
the fact that almost all SMTP relays now a days are either known and
trusted by the sender, or by the receiver. The "complex" situation
that is mentioned is really not that complex. Oh, and mailing lists
are not SMTP forwarders, but rather recievers and then senders.

-wayne

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads