Mailing List Archive

On Sat, 7 Apr 2007, Frank Ellermann wrote:

> If forwarders don't reject SPF FAIL and keep the forged mail from as
> is they are by definition spam supporters, and the next hop better
> rejects this crap. One of us needs more coffee, is it again me ?

Big ISPs don't have the luxury, but I simply only use forwarders that
properly authenticate (mainly because I run the forwarders :-).
However, there are "forwarders" on my list for braindead web service
companies that forge someone elses MAIL FROM. Since they don't forward,
but only send alerts, they are not relaying spam, and I just pretend they are
actually "forwarding".

For a big ISP, the list of trusted forwarders is *per user*. So if the
user picks a braindead forwarder, the forged spam goes in their mailbox. I
see a large dark problem wrt educating users about the cause and effect
relationship. Somehow they need to understand that their forwarding
choices affect the forged spam they receive.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

On Sat, 7 Apr 2007, Frank Ellermann wrote:
> Yes, and that's where I'm *V*E*R*Y* *I*N*T*E*R*E*S*T*E*D* With SRS it
> is clear that forwarders take the responsibility for mails forwarded
> by them as they should under RFC 821 rules (and explicitly did by
> adding their identity to the reverse path in the pre-1123 world).

Ah, you're calling it a feature that SRS forces forwarding providers to
stake their IP reputation on the identification of a message as
non-forged. But SRS also forces them to either "sign off on" or refuse to
accept SPF-neutral, SPF-none, and SPF-softfail mails. This just isn't
reasonable today.

Entities that punish backscatter, such as UCEPROTECT, generally believe
that backscatter should be prevented by abolishing DSNs entirely, not by
sender validation. So for them "I couldn't get a clear SPF answer" is not
an excuse for backscatter. And for an SRS forwarder, abolishing DSNs
entirely just isn't possible. Even if they go to the *extreme* of
conducting incoming and outgoing SMTP transactions simultaneously, they
can still get saddled with a "MAIL FROM: <> / RCPT TO:
<SRS0=blahblah@blah>" hours later from the next hop.

> How does TENBOX guarantee that the alleged original sender in fact is
> the original sender ?

It doesn't. But TENBOX/E mail will very rarely be bounced, if at all.

If the final recipient trusts the forwarder's TENBOX token enough to stand
down SPF, it would be silly not to also stand down their content filters
(SpamAssassin, ClamAV, DCC, etc.). And content filters are the leading
cause of forwarder bounces.

Note that if you created a "FrankBL" that, say, listed an IP for several
months after a single instance of backscatter to an SPF-protected address,
you'd still be able to have some indirect pressure on a TENBOX forwarder.

Big ISPs who want to stay off the FrankBL would maintain their own
blacklist of forwarders who ignore SPF and simply refuse to allow their
customers to extend TENBOX/E trust to those forwarders. Come to think of
it, FrankBL could maintain such a list itself as an RHSBL.

> And AFAIK I'm the _only_ user on the spamcop list who thinks that an
> SPF FAIL is required, the others report all bogus bounces right away,
> no questions asked.

They probably think the answer is to abolish bounces entirely. Then the
SPF status of a given mail is irrelevant.

---- Michael Deutschmann <michael@talamasca.ocis.net>

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

Michael Deutschmann wrote:

> SRS also forces them to either "sign off on" or refuse to
> accept SPF-neutral, SPF-none, and SPF-softfail mails. This
> just isn't reasonable today.

Anything NONE or NEUTRAL is less interesting from my POV, my
policy guarantees PASS, FAIL, or - shit happens - TempError.

So as far as I'm concerned forwarders can use whatever they
like best wrt NONE or NEUTRAL. The SOFTFAIL scenario is as
always tricky, I propose to ignore SOFTFAIL for the moment.

> Entities that punish backscatter, such as UCEPROTECT, generally
> believe that backscatter should be prevented by abolishing DSNs
> entirely, not by sender validation.

I think those "entities" are stupid. At least for an SPF PASS
it's IMO obvious that the sender wishes to get DSNs (and other
auto-replies, where some excl. me draw the line at challenges.)

I also like to get "false positives" caused by checking SPF at
the wrong place (behind the border). If it's a bogus bounce I
report it as spam (the receiver had a fair chance to reject the
FAIL at their border). If it's a bounce related to mail I sent
I can try to send it again on another route (= 551 emulation).

Both cases (bogus bounce or 551-emulation) are very rare at the
moment. Apparently spammers avoid to forge my FAIL-protected
vanity host, therefore forwarders also won't get in trouble by
missing an opportunity to reject it at their border. Apparently
it's also very rare that receivers check SPF at the wrong place,
my complete number of pseudo-551 bounces is still one.

Clearly I'm interested to keep those numbers for simple PASS/FAIL
SPF policies where they are, introducing new loopholes would be
a bad plan from my POV.

> for an SRS forwarder, abolishing DSNs entirely just isn't
> possible.

I'm not sure what your model for SRS is. My model is a mailing
list with one subscriber (the forwarded-to address). Any DSNs
from hops behind the forwarder are not really my business, or
rather they are only my business if the forwarder decides that
I should know what went wrong.

There's also a privacy issue, a long section in RFC 2821, why
routinely using 251 might be not what the receiver wants. As a
simple example, maybe you use an @gmail address in public, and
forward whatever survives the Gmail filters to a less protected
address at another provider. Then you're not interested that I
learn the "direct" route and add it to my address book, because
this address book is later visible for any trojan I install.

For that reason you might also decide that DSNs from anything
behind your forwarder aren't for me. Almost the same idea as
for mailing lists.

>> How does TENBOX guarantee that the alleged original sender in
>> fact is the original sender ?

> It doesn't. But TENBOX/E mail will very rarely be bounced, if
> at all.

Better make sure that forwarders using it MUST reject SPF FAIL
at their border (we can talk about a SHOULD :-), otherwise I'd
consider it as potentially harmful wrt what SPF does today.

These "rare bounces" would include any "vacation" mails or other
auto-replies sent by the user. I'm interested to get it if the
mail triggering any auto-reply was a PASS at the border, and I
consider it as spam if it was a FAIL at the border (forwarder).

> If the final recipient trusts the forwarder's TENBOX token
> enough to stand down SPF, it would be silly not to also stand
> down their content filters (SpamAssassin, ClamAV, DCC, etc.).
> And content filters are the leading cause of forwarder bounces.

I doubt it. It's a clueless user arranging the forwarding, they
will cause havoc behind the final delivery MTA with their own
MUA if necessary. Report their own forwarder as spammer is one
example discussed here sometimes. Maybe there's a Web form where
they can configure a "sieve" working behind the border of the
next hop... <shudder /> If anything can go wrong it will go
wrong, we're lucky if some implementors understand what they do:

One early wannabe-SPF plugin allowed to bounce FAIL at the MUA.
Fortunately we could convince the developer that this is a bad
plan. Somebody implemented "barracuda". Another typical case
is "symantec". Some early "messagelabs" bounces told me that I
should publish a FAIL policy when I already had one, and they
bounced the forged mails to me. I got thousands of challenges
from earthlink, spamarrest, and a Brasilian provider (in 2004).

Trying to offer an alternative to SRS is a good thing, but it
should then preserve the basic feature of SPF: Reject FAIL at
the border (in this case at the border of the forwarder).

>> AFAIK I'm the _only_ user on the spamcop list who thinks that
>> an SPF FAIL is required, the others report all bogus bounces
>> right away, no questions asked.

> They probably think the answer is to abolish bounces entirely.

Yes, some do. But I think some also try to avoid the necessity
of publishing a FAIL policy, because that would force them to
change their provider, and/or take the responsibility for FAIL
effects caused by inappropriate forwarding arrangements. Some
also believe in the FUD spread by interested parties, because
that's easier than to understand how email really works. Last
but not least the SC management failed to limit bounce reports
to users publishing a FAIL policy when they introduced this new
feature (misdirected bounce => spam) in January 2005...

> Then the SPF status of a given mail is irrelevant.

...precisely the problem with those "entities". SPF works fine
without worldwide adoption by receivers, but it's in trouble if
senders try to get away without it. IMO SMTP is far too simple
to survive without (good) DSNs, there's too much that can go
wrong behind the border of the receiver (even after replacing
all unnecessary bounces by rejections as soon as possible).

Frank


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

Stuart D. Gathman wrote:

>> If forwarders don't reject SPF FAIL and keep the forged mail from as
>> is they are by definition spam supporters, and the next hop better
>> rejects this crap. One of us needs more coffee, is it again me ?

> Big ISPs don't have the luxury, but I simply only use forwarders that
> properly authenticate (mainly because I run the forwarders :-).

> However, there are "forwarders" on my list for braindead web service
> companies that forge someone elses MAIL FROM. Since they don't forward,
> but only send alerts, they are not relaying spam, and I just pretend
> they are actually "forwarding".

Makes sene, but it's not unheard of to get this right. Heise.de (German
variant of /.) allows readers to send articles to hopefully interested
parties:

| Return-path: <www@heise.de>
| Delivery-date: Sun, 08 Apr 2007 22:36:16 +0200
| Received: from [194.97.50.135] (helo=mx2.freenet.de)
| by mbox62.freenet.de with esmtpa (ID exim) (Exim 4.67 #3)
| id 1Hae7S-0004zp-3C
| for
[...truncated...]
| From: nobody@xyzzy.claranet.de
| Sender: nobody@xyzzy.claranet.de
| Reply-To: nobody@xyzzy.claranet.de
[...]
| X-Remote-IP: 213.221.75.89
| Subject: heise online: Anti-Spam-Kongress: Strafverfolger sind gefordert
| Message-Id: <E1Hae7P-0004tY-NJ.octo20@web.heise.de>
[...]
|
| Diese Meldung aus dem heise online-Newsticker wurde Ihnen von
| "nobody@xyzzy.claranet.de" gesandt. Wir weisen darauf hin, dass die
| Absenderangabe nicht verifiziert ist. Sollten Sie Zweifel an der
| Authentizität des Absenders haben, ignorieren Sie diese E-Mail bitte.
| ------------------------------------------------------------------------
| Test
| ------------------------------------------------------------------------
|
| 05.09.2006 16:21
|
| Anti-Spam-Kongress: Strafverfolger sind gefordert
|
| Technisch sind Spammer, Scammer und Phisher nicht zur Strecke zu
[...]
| SpamSpot-Partner Microsoft hat nach Angaben von Craig Spiezle
| inzwischen rund 250 Verfahren gegen Spammer angestrengt. Der
| Microsoft-Manager (Director Windows Live Strategy) unterstrich in Köln
| die "sehr guten Ergebnisse" des Sender ID Framework/SPF[8]. Knapp 40
| Prozent der bei Hotmail eingehenden legitimen E-Mail nutze die im DNS
| hinterlegten IP-Adresseinträge zur Authentifizierung ihrer Mailserver,
| sagte Spiezle gegenüber heise online.
[...]
| URL dieses Artikels:
| http://www.heise.de/newsticker/meldung/77755
[...]

And GMX, a big email provider in at / ch / de (but not more limited to
email today) not only publishes SPF FAIL, they also allow their users
to reject FAIL. Admittedly in an "advanced" part of their config menu,
rejecting FAIL is not their default (but I guess they use it anyway to
improve their default spam rejection results).

Like almost all mail providers I've tested they offer automatical POP3
polls to collect mails from other providers (with that it's unnecessary
to forward mails to a new account).

> For a big ISP, the list of trusted forwarders is *per user*. So if
> the user picks a braindead forwarder, the forged spam goes in their
> mailbox

Okay, but we're talking about a new protocol allowing to improve this
situation without SRS (or the mentioned POP3 polling). This protocol
doesn't need to rehash kludges working without SPF, it can build on
SPF by requiring HELO policies for a hypothetical "AUTH SPFHELO" SASL
mechanism (example). BTW, RFC 2554bis was just approved, it's waiting
for its number now.

Frank


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

Michael Deutschmann wrote on Saturday, April 07, 2007 6:51 PM -0500:

> On Sat, 7 Apr 2007, Frank Ellermann wrote:
> > Yes, and that's where I'm *V*E*R*Y* *I*N*T*E*R*E*S*T*E*D* With SRS
> > it is clear that forwarders take the responsibility for mails
> > forwarded by them as they should under RFC 821 rules (and
> > explicitly did by adding their identity to the reverse path in the
> > pre-1123 world).
>
> Ah, you're calling it a feature that SRS forces forwarding providers
> to stake their IP reputation on the identification of a message as
> non-forged.

It was a very intentional feature of SRS. SPF gives domain owners a
tool to tell recipients how to detect when that sender's domain is
forged. It works by associating IP with MAIL FROM domain name, which
happens to force senders to take responsibility for *everything* they
emit, regardless of how they got it. This is the fundamental SPF
assumption. While forwarders feel they are an exception, because
someone else purportedly originated the message, that violates the SPF
assumption of full responsibility for your outflow.

"Be liberal in what you accept, and conservative in what you send"
- J. Postel


> But SRS also forces them to either "sign off on" or refuse to accept
> SPF-neutral, SPF-none, and SPF-softfail mails. This just isn't
> reasonable today.

I don't agree. Identifying the party responsible for a given message is
fundamental to stopping network abuse in general. If forwarders to be
part of the solution rather than part of the problem, they have to be
careful of what they send and that means taking responsibility for it.
While this clearly makes forwarders' lives more complicated, it puts
responsibility where it belongs: at the original destination hop, where
it is possible to detect forgeries and spam based on sending system
identity and identity.


>
> Entities that punish backscatter, such as UCEPROTECT, generally
> believe that backscatter should be prevented by abolishing DSNs
> entirely, not by sender validation. So for them "I couldn't get
> a clear SPF answer" is not an excuse for backscatter.

Abolishing DSN's would also abolish the reliability of SMTP. At the
same time, a forwarder claiming they couldn't determine the responsible
sender is not an excuse for backscatter, which is network abuse.


> And for an SRS forwarder, abolishing DSNs entirely just isn't
> possible. Even if they go to the *extreme* of conducting
> incoming and outgoing SMTP transactions simultaneously, they
> can still get saddled with a "MAIL FROM: <> / RCPT TO:
> <SRS0=blahblah@blah>" hours later from the next hop.

Conducting the outgoing leg of a forwarding transaction during the
incoming session will create problems and in some cases is network
abuse. Getting a delayed DSN for a message you didn't send is
unfortunately the nature of alias forwarding and is why many people
consider it a poor practice. Unfortunately, it is now enshrined in
practice.

If you accept the idea that everyone is responsible for the mail they
emit, as SPF assumes, then forwarders' lives are undeniably harder than
they used to be. At the same time, there is no good reason for everyone
else to accept forgeries simply because forwarders are used to a more
relaxed environment.


> If the final recipient trusts the forwarder's TENBOX token enough to
> stand down SPF, it would be silly not to also stand down their content
> filters (SpamAssassin, ClamAV, DCC, etc.). And content filters are
> the leading cause of forwarder bounces.

In general, recipient systems have a large incentive to continue
performing content checks, even on whitelisted forwarders, as end users
blame the final recipient system for all spam in their inbox. While the
first forwarding hop is in the best position to reject spam and
forgeries, end users don't know that and would likely consider it an
excuse.

I would still like to hear how tenbox might reduce effort and user
complaints for recipient systems.


> Big ISPs who want to stay off the FrankBL would maintain their own
> blacklist of forwarders who ignore SPF and simply refuse to allow
> their customers to extend TENBOX/E trust to those forwarders.

BigISP doesn't care about FrankBL (they like Frank, but they barely care
about SPF). BigISP also does not care about forwarders' problems or
even their continued viability. They care only to minimize complaints
from their own users.

--
Seth Goodman

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

On Sun, 8 Apr 2007, Frank Ellermann wrote:
> So as far as I'm concerned forwarders can use whatever they
> like best wrt NONE or NEUTRAL. The SOFTFAIL scenario is as
> always tricky, I propose to ignore SOFTFAIL for the moment.

The problem is that "whatever they like best wrt NONE or NEUTRAL" is to
simply not implement SRS, and insist that any forwarding failures due to
SPF at the recipient MTA are the recipient's fault.

Because of this, the fact that SRS would cause some pressure on the
forwarders to not accept SPF-fail is irrelevant, because nobody is taking
the bait.

> I think those "entities" are stupid. At least for an SPF PASS
> it's IMO obvious that the sender wishes to get DSNs (and other
> auto-replies, where some excl. me draw the line at challenges.)

Call them stupid if you want, fact is they are *out there*. For the
moment, any entity afraid of backscattering SPF-fail messages will also be
afraid to backscatter SPF-none/neutral/softfail messages.

Hence, there are two kinds of forwarder. One kind doesn't worry about
their reputation as a backscatter emitter -- these will happily implement
SRS without any SPF checking. Another does care deeply -- these will
refuse to implement SRS at all.

> Better make sure that forwarders using [TENBOX/E] MUST reject SPF FAIL
> at their border (we can talk about a SHOULD :-), otherwise I'd
> consider it as potentially harmful wrt what SPF does today.

That would forbid the possibility of a forwarding chain. Sure,
forwarding chains are a little bit daft -- but note that SRS takes pains
to optimize the case.

> > If the final recipient trusts the forwarder's TENBOX token
> > enough to stand down SPF, it would be silly not to also stand
> > down their content filters (SpamAssassin, ClamAV, DCC, etc.).
>
> I doubt it. [ Users probably will be silly ]

Such conditions are the user's fault, not the forwarder's. The forwarder
shouldn't be punished for them, but that will always happen under SRS.

---- Michael Deutschmann <michael@talamasca.ocis.net>

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

On Sun, 8 Apr 2007, Seth Goodman wrote:
> I don't agree. Identifying the party responsible for a given message is
> fundamental to stopping network abuse in general. If forwarders to be
> part of the solution rather than part of the problem, they have to be
> careful of what they send and that means taking responsibility for it.

So how can they take responsibility in this case? The only thing that
will avoid backscatter and work on an automated basis is to refuse all
neutral/none/softfail messages. Today, a forwarder that does that would
be regarded by its users as more broken than one that requires the
ultimate recipient to not use recieverside SPF.

> I would still like to hear how tenbox might reduce effort and user
> complaints for recipient systems.

Basically, they get to use SPF! Presently, recipient systems are afraid
to activate reject-on-SPF-fail because some of their users may recieve
traditional forwarding.

SRS is a chicken game. If recipients apply SPF and forwarders don't use
SRS, the forwarding system breaks completely. There are two paths out of
the broken state -- the recipient can relent and disable SPF, and the
forwarder can relent and use SRS. Unfortunately, the will of the
recipient to endure the broken state to achieve the most satisfactory one
(SRS and SPF), is less than the will of most forwarders to endure the same
state to achieve their most satisfactory one (no SPF or SRS).

SRS is nicer to the recipient than TENBOX/E. But SRS is already 100%
deployed at the recipient end (since recipients don't need to do
anything), and yet is a failure because of poor uptake by forwarders. We
need to trade off some of SRS's recipient convenience for some forwarder
convenience, so that we can actually have deployment at both ends.

> > Big ISPs who want to stay off the FrankBL would maintain their own
> > blacklist of forwarders who ignore SPF and simply refuse to allow
> > their customers to extend TENBOX/E trust to those forwarders.
>
> BigISP doesn't care about FrankBL (they like Frank, but they barely care
> about SPF). BigISP also does not care about forwarders' problems or
> even their continued viability. They care only to minimize complaints
> from their own users.

Users will complain if their forwards stop working and the forwarder
tells them only their ISP can fix it.

If enough people feel like Frank does, they will use the FrankBL to
protect themselves from backscatter, and the ISP will recieve
deliverability complaints when they ignore FrankBL listings.

---- Michael Deutschmann <michael@talamasca.ocis.net>

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

On Saturday 07 April 2007 19:51, Michael Deutschmann wrote:
> On Sat, 7 Apr 2007, Frank Ellermann wrote:
> > Yes, and that's where I'm *V*E*R*Y* *I*N*T*E*R*E*S*T*E*D* With SRS it
> > is clear that forwarders take the responsibility for mails forwarded
> > by them as they should under RFC 821 rules (and explicitly did by
> > adding their identity to the reverse path in the pre-1123 world).
>
> Ah, you're calling it a feature that SRS forces forwarding providers to
> stake their IP reputation on the identification of a message as
> non-forged. But SRS also forces them to either "sign off on" or refuse to
> accept SPF-neutral, SPF-none, and SPF-softfail mails. This just isn't
> reasonable today.

Their IP reputation is already as stake. SRS adds their name reputation.

> Entities that punish backscatter, such as UCEPROTECT, generally believe
> that backscatter should be prevented by abolishing DSNs entirely, not by
> sender validation. So for them "I couldn't get a clear SPF answer" is not
> an excuse for backscatter. And for an SRS forwarder, abolishing DSNs
> entirely just isn't possible. Even if they go to the *extreme* of
> conducting incoming and outgoing SMTP transactions simultaneously, they
> can still get saddled with a "MAIL FROM: <> / RCPT TO:
> <SRS0=blahblah@blah>" hours later from the next hop.

Yep. SRS transfers a final recipient bounce to a forwarder bounce, but
without SRS final recipient rejects still result in forwarder bounces.
Forwarders reliably getting backscatter control correct is pretty well
impossible no matter what we do here. It's one of the reasons I think the
days of transparent forwarding are numbered.

> > How does TENBOX guarantee that the alleged original sender in fact is
> > the original sender ?
>
> It doesn't. But TENBOX/E mail will very rarely be bounced, if at all.

I don't see at all how that follows.

> If the final recipient trusts the forwarder's TENBOX token enough to stand
> down SPF, it would be silly not to also stand down their content filters
> (SpamAssassin, ClamAV, DCC, etc.). And content filters are the leading
> cause of forwarder bounces.

Absolutely not. Not Forged != Not Spam/Phish/etc.

Lots of people made this exact mistake when SPF was initially being deployed.
Don't repeat it.

Scott K

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

On Sun, 8 Apr 2007, Scott Kitterman wrote:
> Yep. SRS transfers a final recipient bounce to a forwarder bounce, but
> without SRS final recipient rejects still result in forwarder bounces.
> Forwarders reliably getting backscatter control correct is pretty well
> impossible no matter what we do here. It's one of the reasons I think the
> days of transparent forwarding are numbered.

I concede SRS exacerbates the problem rather than creating it.

But TENBOX/E has the potential to reduce the problem. The problem can be
eliminated if there is no tomfoolery at the recipient. Even if there is
tomfoolery at the recipient (defined as 5xx-ing forwarded mail, or 4xx-ing
it for an extended time), the forwarder can avoid bouncing with a little
nerve. (For better flow of my argument, I've moved the paragraph
describing how to apply "nerve" to the bottom of the message.)

> > If the final recipient trusts the forwarder's TENBOX token enough to stand
> > down SPF, it would be silly not to also stand down their content filters
> > (SpamAssassin, ClamAV, DCC, etc.). And content filters are the leading
> > cause of forwarder bounces.
>
> Absolutely not. Not Forged != Not Spam/Phish/etc.

Mail that is forwarded and caught late by SpamAssassin et al. probably
really is "bad mail". But it's still "silly" to reject it for another
reason.

It is irresponsible for an ISP to silently discard mail (which has a tiny
chance of being an FP) or create backscatter. It's equally irresponsible
to force someone else to backscatter, which is what happens when forwarded
mail is content-filtered. The lesser evil is to let the recipient "eat
his spam".

Now, with traditional forwarding or SRS forwarding, the recipient MTA
cannot detect which messages are forwards, so we can't really blame it for
following the same rules it must apply to normal mail. (At the moment,
you can probably assume any mail from an <SRS[0-9]=*@*> address is an SRS
forward, but that'll change fast if such messages get treated
specially...)

But under TENBOX/E, once the MTA has validated the TENBOX token and found
it on the recipient whitelist, it *KNOWS* that the message is indeed a
forward, and that blocking it *even if it is indeed spam* will just push
the "backscatter or drop" dilemma on someone else acting in good faith.



Now, as promised above, what a TENBOX/E forwarder can do when faced with
in-transaction rejections of the forwarded mail:

Instead of bouncing, he can freeze the rejected message and any others
"in flight", and set a flag so that any message to the forwarding input
address gets 4xx-ed. Then he sends an out-of-band message to the
recipient saying "There is a *serious configuration error* at your ISP --
our TENBOX token isn't whitelisted. Let us know when this is corrected --
your forwarding is disabled until then". Once the recipient indicates the
problem is fixed, the forwarder can re-queue the messages. If they all go
through, then he unlocks the input address.

---- Michael Deutschmann <michael@talamasca.ocis.net>

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

Seth Goodman wrote on Sunday, April 08, 2007 5:56 PM -0500:

> While this clearly makes forwarders' lives more complicated, it puts
> responsibility where it belongs: at the original destination hop,
> where it is possible to detect forgeries and spam based on sending
> system identity and identity.

Typo, should have been "identity and behavior".

--
Seth Goodman

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

Michael Deutschmann wrote on Sunday, April 08, 2007 7:37 PM -0500:

> SRS is nicer to the recipient than TENBOX/E. But SRS is already 100%
> deployed at the recipient end (since recipients don't need to do
> anything), and yet is a failure because of poor uptake by forwarders.
> We need to trade off some of SRS's recipient convenience for some
> forwarder convenience, so that we can actually have deployment at
> both ends.

Suggesting that recipient systems must do more than SPF already asks is
not realistic. The adoption experience of the past few years has shown
that they will not. The primary motivation to suggest additional
recipient system work is that it is friendlier to forwarders, a group
that recipient systems do not care about directly, or worse.

Tenbox appears to add some automation to the forwarder whitelisting
process, but it doesn't sound significantly easier for the end user than
forcing them to enumerate their forwarding arrangements. The fact that
it is more specific, i.e. associates an incoming address with a redirect
address (does it?), is not a big enough carrot, IMHO, to make recipient
systems take on the additional problems. It might help if you
illustrate the use case of a non-technical user who knows nothing about
email transport.


> Users will complain if their forwards stop working and the forwarder
> tells them only their ISP can fix it.

And their ISP will contradict this. Users can't arbitrate technical
matters, they believe who they believe. Most often, it will not be a
forwarder, with whom they no longer have a direct relationship.

--
Seth Goodman

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

On Mon, 9 Apr 2007, Seth Goodman wrote:
> Michael Deutschmann wrote on Sunday, April 08, 2007 7:37 PM -0500:
> > We need to trade off some of SRS's recipient convenience for some
> > forwarder convenience, so that we can actually have deployment at
> > both ends.
>
> Suggesting that recipient systems must do more than SPF already asks is
> not realistic. The adoption experience of the past few years has shown
> that they will not.

This assumes the reason receiverside SPF checking is not common is technical
-- that SPF is somehow too hard to implement. That was true years ago, but
now most MTAs support it out of the box.

Rather, I contend the problem is political. Enabling receiverside SPF would
be a trivial config-file edit for most ISPs today, but they don't do it
*because of the forwarder problem*. Without the forwarding problem, SPF
would have a nearly-zero FP rate and be competitive with blacklists. But
because of the forwarder problem, the FP risk is too high (in relation to the
small amount of bad mail SPF would block).

> Tenbox appears to add some automation to the forwarder whitelisting
> process, but it doesn't sound significantly easier for the end user than
> forcing them to enumerate their forwarding arrangements. The fact that

With TENBOX/E alone, the user does have to "enumerate their forwarding
arrangements". But at least they can do that -- to whitelist a traditional
forwarder takes guesswork that even a mail expert cannot do reliably. Under
TENBOX/E, all the recipient has to do is relay a simple code string (which
will probably be the same as the forward-from address) from his forwarder to
his local admin.

And TENBOX/E is only half of the TENBOX plan. After TENBOX/E is settled,
we'll work on TENBOX/O, which will make whitelist maintainence easier.

> systems take on the additional problems. It might help if you
> illustrate the use case of a non-technical user who knows nothing about
> email transport.

TENBOX/O would provide a means for a forwarder to send a special message
to an ISP saying "I'm starting a forwarding relationship with your user
<user.next@hop.example>, under TENBOX token <user@fwd.example>, please
whitelist me". The ISP mailserver would then send a seperate message,
much like a mailing-list confirmed opt-in, to the end user asking him to
take some sort of affirmative action if the forwarding relationship is
legitimate. If the end-user confirms, then the mailserver would add the
token to the user whitelist, and send a message to the forwarder informing
him the whitelisting was granted.

---- Michael Deutschmann <michael@talamasca.ocis.net>

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

I've been thinking about this some more and I think this TENBOX/E idea is a
half-measure that won't get the job done.

Fundamentally, in an environment where untargeted backscatter is not
acceptable, the only place that any accept reject decisions can be made is at
the transition point from the sender's trust network to the receiver's trust
network. This is the same thing I've said about SPF checking before as a
general point.

The key issue is that the traditional forwarder is an agent of the reciever
and not the sender. Once the forwarder forwards it's an internal matter for
the reciever and they have an obligation to get it right. This means one of
two things:

1. Forwarder puts in a new Mail From (I'm thinking more like a mailing list
does than SRS, but SRS for SPF Pass would work too) and treats the forwarding
action much like a new mail transaction (as mailing lists do). With the
exception of relaying bounces back to SPF Pass senders via SRS, it's really
between the forwarder and the reciever at this point. It's no different than
a border MTA accepts mail and then has to deal with internal delivery
problems.

2. Reciever doesn't bounce from known forwarders.

I'm not sure what the reciever's incentive is for #2. Unless forwarders
figure out how to live in a no backscatter world, I think they'll go the way
of finger and gopher.

Scott K

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

On Mon, 9 Apr 2007, Scott Kitterman wrote:
> Fundamentally, in an environment where untargeted backscatter is not
What do you mean by "untargetted"?

> 2. Reciever doesn't bounce from known forwarders.
>
> I'm not sure what the reciever's incentive is for #2. Unless forwarders
> figure out how to live in a no backscatter world, I think they'll go the way
> of finger and gopher.

As the world becomes harsher on backscatter, SRS and traditional
forwarders will die, and TENBOX/E forwarders will be the only ones
available. To attain full backscatter elimination, TENBOX/E forwarders
will simply refuse to serve clients who will not honor "#2".

I do think there's a good chance that ISPs will implement it if the
forwarders push them.

Basically, by refusing to do SRS, forwarders are pushing a collective
"Don't implement receiverside SPF, otherwise your customers lose their
forwarding." ultimatum on the ISPs, and the ISPs are buckling under it.
Hence the poor deployment of SPF checking.

So, I think it is quite possible that if forwarders push an "Implement
TENBOX/E such that we never see a 5xx, or else your customers lose their
forwarding" ultimatum, the ISPs will also buckle and deploy TENBOX/E.

---- Michael Deutschmann <michael@talamasca.ocis.net>

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

On Tue, 10 Apr 2007, Michael Deutschmann wrote:

> So, I think it is quite possible that if forwarders push an "Implement
> TENBOX/E such that we never see a 5xx, or else your customers lose their
> forwarding" ultimatum, the ISPs will also buckle and deploy TENBOX/E.

5xx is not the problem. DSNs after a 2xx are the problem.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

Michael Deutschmann wrote on Tuesday, April 10, 2007 4:30 AM -0500:

> So, I think it is quite possible that if forwarders push an "Implement
> TENBOX/E such that we never see a 5xx, or else your customers lose
> their forwarding" ultimatum, the ISPs will also buckle and deploy
> TENBOX/E.

I have a very different picture of who decides what. ISP's and large
email providers virtually give away email services to most customers,
they generate the lion's share of overall revenue so they dictate the
terms. They don't care about the eventual survival of forwarders, and
they'd just as soon seem them disappear as deal with an imaginary
threat.

Rather, large ISP's and email providers will do exactly what they find
in their own interest, and forwarding is only one consideration. It is
true they haven't gone with SPF largely because they don't want to break
existing forwarding. However, they are unlikely to invest significant
effort in order to preserve forwarding. Not breaking it is sufficient
until such time as it is forced to either change into something less
damaging to SMTP mail transport or go away altogether.

My concern is that the time when current alias forwarding is no longer
acceptable could be a long time coming and SPF won't be widely
implemented before that. I believe that SPF is in all legitimate
mailers' best interest, except current alias forwarders. SPF is
predicated on *everyone* taking responsibility for everything they emit,
while alias forwarders wish to be exempt because they're operating per
their users' instructions. Given the reality that ISP customers blame
the ISP for all spam in their inbox, ISP's have little incentive to
whitelist forwarders, less incentive to exempt them from content checks
and even less incentive to exempt them from blacklists when they cause
backscatter.

--
Seth Goodman

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

On Tue, 10 Apr 2007, Stuart D. Gathman wrote:
> On Tue, 10 Apr 2007, Michael Deutschmann wrote:
> > So, I think it is quite possible that if forwarders push an "Implement
> > TENBOX/E such that we never see a 5xx, or else your customers lose their
> > forwarding" ultimatum, the ISPs will also buckle and deploy TENBOX/E.
>
> 5xx is not the problem. DSNs after a 2xx are the problem.

But not for the forwarder. (Unless he uses SRS, and this is why he
doesn't want to.)

If the recipient decides to bounce forwarded mail post-transactionally,
it's the recipient's IP reputation that gets blackened.

---- Michael Deutschmann <michael@talamasca.ocis.net>

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

Michael Deutschmann wrote on Tuesday, April 10, 2007 7:45 PM -0500:

> On Tue, 10 Apr 2007, Stuart D. Gathman wrote:
> > 5xx is not the problem. DSNs after a 2xx are the problem.
>
> But not for the forwarder. (Unless he uses SRS, and this is why he
> doesn't want to.)
>
> If the recipient decides to bounce forwarded mail post-
> transactionally, it's the recipient's IP reputation that gets
> blackened.

While it's true that ultimate responsibility rests with the system that
generates a delayed bounce to a forged address, it's also true that
there is no method today, short of tricks such as SES, to determine the
validity of return-paths on forwarded mail. Thus it is completely
rational to blame the forwarder who handed you the forgery. Every
system is responsible for what they emit.

--
Seth Goodman

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

On Tue, 10 Apr 2007, Seth Goodman wrote:
> Michael Deutschmann wrote on Tuesday, April 10, 2007 7:45 PM -0500:
> While it's true that ultimate responsibility rests with the system that
> generates a delayed bounce to a forged address, it's also true that
> there is no method today, short of tricks such as SES, to determine the
> validity of return-paths on forwarded mail.

So to be safe, the recipient system must *always* place forwarded mail in
the end-users mailbox, no matter how confident the automated systems are
that it is spam, since there's no other direction it may safely go.

> Thus it is completely rational to blame the forwarder who handed you
> the forgery. Every system is responsible for what they emit.

The forwarder robotically follows the end-user's orders, so the end-user
is responsible for the results of those orders. So if the forwarder
accepts spam, it is the end-user's responsibility to "eat it".

---- Michael Deutschmann <michael@talamasca.ocis.net>

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

On Tue, 10 Apr 2007, Seth Goodman wrote:
> Michael Deutschmann wrote on Tuesday, April 10, 2007 4:30 AM -0500:
> My concern is that the time when current alias forwarding is no longer
> acceptable could be a long time coming and SPF won't be widely
> implemented before that.
Exactly.

However, the reason traditional forwarding is taking so long to die is
that there is no real alternative. (There's SRS, but so long as ISPs shy
away from the SRS/SPF chicken game, it doesn't solve any of the
*forwarder's* problems.)

The only way out for the forwarder is to give up and stop providing
forwarding service. The backscatter-pain will have to rise quite a bit
before they do that.

But if TENBOX/E becomes available, the present level of backscatter-pain
will quickly drive the forwarders to deploy it.

Then the SRS/SPF chicken game will be replaced with a new one. The
forwarder has two strategies:

"Soft TENBOX/E" - the forwarder attaches a TENBOX token to his mail,
but otherwise acts like a traditional forwarder. He hopes to be
whitelisted, but takes his lumps from the backscatter if he isn't.

"Hard TENBOX/E" - the forwarder attaches a TENBOX token to his mail,
expects to be whitelisted, and immediately shuts down the forwarding
relationship on a 5xx.

And the recipient has two strategies:

"Full TENBOX/E" - the forwarder recognizes TENBOX whitelisted mail, and
disables all spam defences.

"Minimal TENBOX/E" - the forwarder recognizes TENBOX whitelisted mail,
but only disables SPF, nothing else.

No matter who wins the new chicken game, SPF will also win because
the forwarder has no incentive to remain with the "traditional forwarding"
strategy.

---- Michael Deutschmann <michael@talamasca.ocis.net>

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

Michael Deutschmann wrote on Tuesday, April 10, 2007 10:02 PM -0500:

> On Tue, 10 Apr 2007, Seth Goodman wrote:
> > Michael Deutschmann wrote on Tuesday, April 10, 2007 7:45 PM -0500:
> > While it's true that ultimate responsibility rests with the system
> > that generates a delayed bounce to a forged address, it's also true
> > that there is no method today, short of tricks such as SES, to
> > determine the validity of return-paths on forwarded mail.
>
> So to be safe, the recipient system must *always* place forwarded
> mail in the end-users mailbox, no matter how confident the automated
> systems are that it is spam, since there's no other direction it may
> safely go.
>
> > Thus it is completely rational to blame the forwarder who handed you
> > the forgery. Every system is responsible for what they emit.
>
> The forwarder robotically follows the end-user's orders, so the
> end-user is responsible for the results of those orders. So if the
> forwarder accepts spam, it is the end-user's responsibility to "eat
> it".

While technically correct, the end user blames the system they forward
to for all spam in their inbox, regardless of the source. Since they
can vote by changing providers, recipient systems generally ignore the
technical arguments in favor of staying in business.

--
Seth Goodman

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735