How to whitelist ebay but not ebay spoofs?

George Schlossnagle george@omniti.com
Thu Dec 16 00:16:06 UTC 2004


On Dec 15, 2004, at 6:51 PM, Vernon Schryver wrote:
>   - ${dcc_envelope_is_truthful} would not be quite right or not quite
>      as useful as it might sound.  In the unlikely event that not
>      merely publishing SPF RRs but checking them became popular,
>      phishers would buy ebey.com and publish SPF records for it.
>      Notice the NANAS reports of ebey.com phishing spam in
>      http://groups.google.com/groups?q=ebey.com+group:*.sightings

That was actually the point I was trying to make, probably not very 
clearly. :)  The existence of an SPF record (or valid DK signature or 
auth method xyz)  doesn't guarantee that the mail is good, only that 
the person is who they claim to be.  If they claim to be 'ebey.com', 
that's great,  because that domain will never be on my whitelist (and 
probably on an explicit blacklist).

I think those technologies (spf/dk/iim/senderid/etc.) belong in logic 
like:

if authenticated():
   if domain is trusted:
     accept
else:
   do whatever I normally do


>   - Saying that I don't think much of SPF grossly overstates my
>      enthusiasm.  I'll leave to your imagination what I really think
>      of using SPF for any purpose other than the one implied by the
>      reports that valid SPF RRs are commonly seen for spam.

While the technology has some flaws, I think that you might feel 
different if you consider it simply as stab at an authentication 
technology and not as an authorization technology.  Or maybe not.  :)

George




More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.