How to whitelist ebay but not ebay spoofs?

Vernon Schryver
Thu Dec 16 00:49:49 UTC 2004

> From: George Schlossnagle <>

> While the technology has some flaws, I think that you might feel 
> different if you consider it simply as stab at an authentication 
> technology and not as an authorization technology.  Or maybe not.  :)

Authentication without authorization is worse than snakeoil if you are
expected to issue blank check authorizations based on the authentication
of perfect strangers as in ActiveX, SPF, and Sender-ID.  Authentication
without authorization is like a password without a username.

Authenticating the unknown sender of an incoming message tells you
nothing about whether substanitally identical copies of the message
are being sent to 30,000,000 of your intimate friends.  Authenticated
strangers are almost the same as unauthenticated strangers.  The most
SPF might do is reduce bounces of forged mail that should have been
rejected during the original SMTP transaction.  If you reject instead
of bounce, there's probably no point in checking SPF RRs.  If you
bounce, your time would probably be better spent trying to reject.

On the other hand, there are existing mechanisms that do better jobs
than SPF of authenticating mail senders that are not strangers, as in

> if authenticated():
>   if domain is trusted:
>     accept
> else:
>    do whatever I normally do

You could use SMTP-AUTH, SMTP-TLS, PGP, or S/MIME, just to name 4.  If
eBey sent with SMTP-TLS or SMTP-AUTH, you could add their certificates
to your sendmail cert directory, and use `hackmc -T` to DCC-whitelist
mail that arrives with validated keys.  That machinery has been in use
longer than the years that SPF realsoonnow been going to become
standardized and deployed for real (really checking SPF RRs instead
of merely publishing them).

Does eBay use STMP-TLS or SMTP-AUTH?

Vernon Schryver

More information about the DCC mailing list

Contact by mail or use the form.