Erik Aronesty wrote:
Isaac To <iketo2@netscape.net> wrote in message news:<2lxJ5-8oQ-17@gated-at.bofh.it>...Erik Aronesty <erik@zoneedit.com> writes:I was thinking that a spammer could creates an envelope address with "SRS0+hash=timestamp=aol.com=bob@throwawaydomain.com" and a From: bob@aol.com with valid SPF info in throwawaydomain.com. They, obviously, could do this. Someone who sees that spam will, likely, blame aol.com and not "throwawaydomain.com". Just like spammers use throwawar IP's to send mail, they will use throwaway domains to masquerate as forwarding agents - just like they use throwaway IP's now.BTW, forwarding is normally set up manually, e.g., you might want your university to forward all mails to you home ISP account. So you know exactly who are your valid forwarders (here, your university only). Your case would then be trivially blocked in the client side.It cannot be stopped by the client. If someone from AOL sends email to my university account and I forward that to my roadrunner account without using SRS, Roadrunner could use the SPF record on the original aol.com envelope header to see that my university account is not a valid mail agent for AOL.com. and block my forwarded files. The only people involved in the blocking of my valid, forwarded mail here would be AOL and Roadrunner... not me. Remember, millions of people forward mail like this in many, varied ways. Every single one of them will need to modify their .forward scripts and patch their MTA's, etc. to use SRS. This solution is an enormous amount of work for everyone on the Internet.
Stop arguing for a second and think about these three questions: 1. How many common Internet users forward mail from one address to another?2. When a standard for domain forgery protection in MAIL FROM is ratified, are consumer ISPs likely to ignore the needs of their customers and start rejecting mail?
3. Are major forwarders mostly going to sit back and ignore the coming change?From my own experience and following the proceedings of the various groups involved in these standards, here are my answers: 1. Only a very small percentage of email users have one address that forwards to another. There are only a limited number of ways this is provided to users. The only one that poses problems in terms of upgrading software to automatically apply SRS or similar transformations is a .forward that pipes to some program. The microscopic percentage of Internet users who have such a configuration will not have such a hard time updating it to use a proper address. And that is only required of users who call programs that don't get updated to do SRS unless it is specified against.
2. Consumer ISPs tend not to want to drive away customers, and it's fairly easy to detect address-forwarded mail coming into a system. It's easy enough for these ISPs to send a simple form email to such customers asking them to enter the forwarding address into a web form, or even simply confirm the forwarding address detected. In any case, it it very unlikely that any consumer ISP will be so unfriendly to their customers that they will suddenly start rejecting mail without warning.
3. Most major forwarding services are already watching the proceedings of the standards groups, to see what, if anything, they need to do. Debian is likely one of the few in which users of the forwarding service actively oppose making the service compliant with potential standards.
Philip Miller