TMDA Re: [Gllug] New worm doing the rounds?

Jason Clifford jason at ukpost.com
Tue Feb 17 17:51:03 UTC 2004 

On Tue, 17 Feb 2004, Bruce Richardson wrote:

> > And your own email is proof of the fundemental failing in the SPF scheme.
> 
> No, it isn't.  I own my own domain.

You don't post from it. You don't own uklinux.net so that's the valid 
metric for the message you posted - note I stated your email and not you.

>  If SPF were widespread, I'd have
> another incentive to set things up properly.  In fact, SPF would make it
> easier for me to be official, given that I have a fixed ip address,
> because I could ask UKLinux to add SPF records sanctioning the use of my
> ip address for my domain.  That way I could send mail from my personal
> domain directly, but if I wanted to send mail from @uklinux.net, I'd
> need to send my mail via the uklinux mail servers.

Thus you loose the freedom to use your uklinux email address except when 
using their mail servers.

This is the single source lock in I mentioned before which a lot of people 
want to avoid.

> Why not?  If I could impose that limit for our work domain, I'd do it so
> quickly it'd happen yesterday.  If, otoh, UKLinux or any other
> organisation wanted to allow anybody to @uklinux.net mail from anywhere,
> they could have a wildcard record. 

Wildcards records would quickly become the norm for most email addresses 
thus totally undermining the scheme.

> Of course, mail administrators like
> myself would probably add special policies to deal with domains that had
> wildcard records but then that is my right.  Nobody has an inalienable
> right to send me e-mail and have it accepted.  Anybody who thinks they
> do can apply personally for a thumping.

This is true however when you think this way remember that you are 
encouraging the splintering of the net and reducing the number of 
recipients who will be likely to accept your own legitimate email.

> At the moment, you can abuse the Internet mail system to send mail using
> my personal domain in your headers.  Now, the fact that you are
> technically able to do that does not make it a right and the imposition
> of technical obstacles to prevent you from doing that is not the removal
> of a right.

You know full well that I never suggested any such "right". 

You should also know that no scheme to try and impose controls can work 
without fundementally undermining the function of email as a positive and 
easy to use communication method.

> > It's another non starter for anyone who values the freedom of separating 
> > their email address from their current connection etc.
> 
> No, it isn't.  There are always ways, as I've outlined.

The ways you've outlined are unworkable in my view. My views are not 
entirely without a basis in solid experience.

> > Note from the obstinate: if can only be effective if you take away 
> > significant freedoms from 'net users and impose "single supplier" limits 
> > that are unlikely to be attractive to users.
> 
> No.  Sorry, just no.  The option of wildcard records makes that just so
> much huge, hairy bollocks.  Any Internet organisation that thinks it is
> defending basic freedoms can have wildcard records.

Which as you have already stated will probably be administratively 
punished by others resulting in people only being able to use email where 
the single supplier lock in is in place.

> SPF is just a way of providing information, not forcing restrictions.

Rubbish. SPF depends upon recipient servers using that data. To claim that 
it's right because nobody has to use it to nonsense as were it to take off 
more and more large networks would refuse to cooperate with those not 
taking part in the scheme.

> It allows mail administrators to set policy, it doesn't force that same
> policy on everyone. 

If AOL, Freeserve, Hotmail, and various other large ISPs implement those 
policies they are very much forced on others.

> It's also a much better way of allowing mail administrators to choose
> policy than RBLs, because it lets me base my mail policies on the
> information that *you* provide, rather than the prejudices of some rbl
> maintainer. 

And how do you know you can trust *me*? Do you expect spammers not to 
publish their own misleading SPF records? They already publish misleading 
DNS records and otherwise seek to mislead though the use of protocol 
abuse.

> In a world where SPF or some similar system had had gained
> hold, I could, off the top of my head, classify mail in 3 broad
> categories:
> 
> 1.  Mail whose source and headers match the associated SPF records (from
> a domain that doesn't have wildcard SPF records).
> 2.  Mail whose headers and source do not match in violation of the SPF
> records for the sender domain.
> 3.  Mail whose headers match an SPF wildcard.

If that's the only classification open to you all you have is a very blunt 
tool.

> > As a result it's unlikely to be taken up widely so those who do become 
> > early adopters will be causing problems for everyone else.
> 
> There are proposed migration paths, both for this and for other schemes.
> Even if only a few 

I remain unconvinced.

> > It's rather akin to having a local neighbourhood barricade itself off and 
> > insist that only those personally known to their employed guards can enter 
> > to make deliveries, etc. Very soon such a neighbourhood will find itself 
> > without any deliveries while also causing disruption to those nearby.
> 
> Again, huge, steaming, hairy bollocks, for all the reasons outlined
> above.  SPF would allow me to reject more invalid (by my designation)
> mail outright while running other mail through the usual checks.  I try
> quite hard to strike a balance there, since we have contacts worldwide
> and our staff expect to be contactable not only by them but anybody else
> with a legitimate purpose.  SPF would let me strike this balance more
> scrupulously, with less error.

I disagree. It's too blunt an instrument to offer any real balance and it 
looks far to trivially easy to abuse.

> Mail systems all over the world reject all kinds of mail for all kinds
> of reasons.  As long as they give a valid smtp response or NDR, they are
> doing absolutely nothing wrong.  The problem at the moment is that the
> abuses of the current technology are panicking many organisations into
> imposing policies that are arbitrary and unfair.  SPF or something
> similar could do a lot to stop that.

No it wont. You've admitted in your own message that it's insufficient on 
it's own and you still need additional policies and systems to retain 
control over your email.

Jason Clifford
-- 
UKFSN.ORG		Finance Free Software while you surf the 'net
http://www.ukfsn.org/	   ADSL Broadband from just £23.75 / month 

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list