warning to list

[Sean Middleditch]

[This discussion should come off list.  I'm not replying to any more of
these.  spf-discuss is the correct place to have these discussions.]

On Tue, 2004-10-26 at 08:48 +0100, David Woodhouse wrote:
> On Mon, 2004-10-25 at 21:07 -0400, Sean Middleditch wrote:
> > No.  You fix them.  Back to the accreditation service point if you want
> > to be lazy and avoid a very simple fix on the forwarding service end.
> 
> Right. SPF, if it's to work, requires the whole world to 'upgrade' to
> make the initial flawed assumptions of SPF come true.

Fortunately, SPF already works.

FC4 could ship Evolution with an SPF plugin'patch that just displayed a
warning next to any mail that failed the checks.  No loss of mail
possible, but anything claiming to be from Red Hat would already work.

Sure, many (most) domains won't be SPF protected any time soon, but we
don't *care* about most of those domains.  I don't care if mail from
bobsbassproshop.com is spoofed.  I do care if mail from Red Hat Security
Team is spoofed.

Additionally, most email comes from large ISPs and mail services, such
as aol.com, hotmail.com, yahoo.com, and so on.  Most of those are
working with SPF, either already using the current version or working on
the new edition.

> 
> This is in the same world which hasn't actually managed to make ESMTP
> ubiquitous yet.
> 
> Meng and the others are living in a dream world.

You seem to be prejudiced.  If you're already convinced that the system
is broken, there's probably no rationalized answer that's going to
convince you otherwise.

Gotta love it when people take technical problems and make them
religious.

> 
> Paul Iadonisi writes:
> > Especially if they have no forwarding issues, it may be
> > an entirely appropriate and beneficial thing for Red Hat to do. 
> 
> How do they _know_ they have no forwarding issues -- that they never
> send mail to a forwarding address? I'd certainly be surprised if that
> were the case. There a countless cases of a non-technical company
> getting someone to register a domain and set up a web site somewhere,
> and forwarding all mail to that domain to the company's single real AOL
> address. Is it appropriate for Red Hat to declare that they don't ever
> want to send mail to such people? Or others who use .forward files or
> virtual domains to forward mail?

Those forwarding hosts should be upgraded.  Yes, it requires change.
Change is scary.  Eeek, change...

SPF is the simplest of all the proposed fixes to the e-mail systems lack
of authentication.  Users don't need to do anything other than run up-
to-date software.  Anti-spam systems like SpamAssassin, and soon mail
clients like Evolution, will automatically do the SPF checking.  Users
with older clients won't be at a loss - they won't get locked out of the
system, they'll just be stuck with what they had before.  Sending hosts
have to do nothing more than publish a simple SPF record, and then
*only* if they want - they won't be locked out of the mail system if
they don't.  Forwarding hosts are the only ones that have to do anything
significant, and even then, it's not all *that* significant.

For end-users that are forced to use forwarding hosts that don't support
SUBMITTER, SRS, or one of the other fixes, they can just whitelist their
forwarding host and be done with it.  A good mail client could do this
automatically for them, the same as the new mail clients all have nice
integrated anti-spam systems.

> 
> -- 
> dwmw2
> 
> 
-- 
Sean Middleditch <elanthis at awesomeplay.com>
AwesomePlay Productions, Inc.