North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Time to check the rate limits on your mail servers

  • From: Douglas Otis
  • Date: Fri Feb 04 17:12:12 2005

On Fri, 2005-02-04 at 09:53 -0500, Todd Vierling wrote:
> On Thu, 3 Feb 2005, Edward B. Dreger wrote:
> > JJ> auth is sufficient to make email traceable to your own customers.
> >
> > End users also would appreciate the ability to _know_ a message is not
> > forged.
> The only way to be sure is via cryptographic signature.  Barring that level
> of immediate traceability, SPF provides a very useful data point to that
> end (as its *only* purpose is curbing forgery).

Attempting to detect spam trickled through thousands of compromised
systems sent through the ISP's mail servers, SPF does nothing, and could
actually damage the reputation of those domains that authorize the
provider for their mailbox domain using SPF.  These records can be read
by the spammers and then exploited.  Repairing this reputation could be
next to impossible.

With respect to forgery, authorization is not authentication.  There is
no consensus which mailbox-domain is checked, SPF (MAILFROM or HELO),
Classic (MAILFROM or Other and HELO), or Sender-ID (PRA), so it is
uncertain which mailbox-domain may have been checked for authorization,
if any.  False assurances could be worse than no assurances.
White-listing for forwarded accounts or mailing lists to allow an SPF
rule-set bypass means there is no certainty a check was ever made.