TMDA Re: [Gllug] New worm doing the rounds?

Jason Clifford jason at ukpost.com
Tue Feb 17 12:08:15 UTC 2004 

On Tue, 17 Feb 2004, Bruce Richardson wrote:

> SPF isn't a challenge/response mechanism.  It's a suggested extension to
> current DNS practice that would allow organisations to specify which
> mail systems are allowed to send mail for their domain (current practice
> only allows you to specify which machines will receive mail for your
> domain).  If such practice were widespread, it would enable mail admins
> to reject any mail with an @example.org address if it didn't come from a
> designated sender machine woth out even looking any further.

And your own email is proof of the fundemental failing in the SPF scheme.

>From the headers:

Received: from knossos.bruce (i-194-106-60-104.dsl.freedom2surf.net
        [194.106.60.104])
        by mail.ukfsn.org (Postfix) with ESMTP id 6F186E6DBC
        for <gllug at gllug.org.uk>; Tue, 17 Feb 2004 11:08:38 +0000 (GMT)
Received: from [192.168.10.50] (helo=phaistos.bruce)
        by knossos.bruce with esmtp (Exim 4.30 #1 (Debian))
        id 1At36f-0005cR-IS
        for <gllug at gllug.org.uk>; Tue, 17 Feb 2004 11:09:37 +0000
Received: from brichardson by phaistos.bruce with local (Exim 4.30 #1 
(Debian))
        id 1At36f-0004g8-Hw
        for <gllug at gllug.org.uk>; Tue, 17 Feb 2004 11:09:37 +0000

You are clearly authorised to use your email address and to send out email 
from that domain to do so. It's not reasonable to impose a limit 
preventing you from using your email address to send email except through 
your ISPs mail server.

If the server hosting the gllug mailing lists were using SPF your mail 
would have been rejected.

> The basic idea is good but it faces the problem that it doesn't become
> effective until the practice is widespread, which provides no incentive
> for early adoption.

It's another non starter for anyone who values the freedom of separating 
their email address from their current connection etc.

> Note for the obstinate: like many other mail policies, SPF would only be
> effective for an organisation if the policy were applied on *all* mail
> exchangers, "backup" or no.

Note from the obstinate: if can only be effective if you take away 
significant freedoms from 'net users and impose "single supplier" limits 
that are unlikely to be attractive to users.

As a result it's unlikely to be taken up widely so those who do become 
early adopters will be causing problems for everyone else.

It's rather akin to having a local neighbourhood barricade itself off and 
insist that only those personally known to their employed guards can enter 
to make deliveries, etc. Very soon such a neighbourhood will find itself 
without any deliveries while also causing disruption to those nearby.

Jason Clifford
-- 
UKFSN.ORG		Finance Free Software while you surf the 'net
http://www.ukfsn.org/	   ADSL Broadband from just £23.75 / month 

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list