Mailing List Archive

From: "Cary Fitch" <sage@usawide.net>

> American Greetings send greeting cards from their server with the sender's
> e-mail address as the from address and Kodak sends pictures that actually
> "belong" to the client from their server with the client's from address.
>
> Both of these are legitimate because the sending person is actually the
> person who's e-mail address is being used, butit plays havoc with the SPF
> scheme.

Why is that legitimate? This is the behaviour of a spammer, and should be
treated as such. Is there any *real* reason for these people to not use the
correct From: or ReplyTo: information? If I used their services and a mail
came back with headers like that it would end up in /dev/null :-)


Slainte,

JohnP.
johnp@idimo.com
ICQ 313355492


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Well, not sure if this is a viable option, but you may have to change how you are currently sending the cards.

As it stands now, when I get the greeting card, it has the email address of the person who sent it. Of course this breaks the SPF
but would it be possible to have the from address be a generic amercian greeting card domain? This way, then someone gets the card,
its not from me@bellsouth.net but rather me-somethingunique@americangreetingcards.com ?

If you can store that unique email address when send, you can act as a relay/forward for when someone replies to the email message
and just direct the message onto whom sent the card in the first place.

Just a thought.

Josh

-----Original Message-----
From: Cary Fitch [mailto:sage@usawide.net]
Sent: Sat 8/28/2004 10:20 AM
To: spf-help@v2.listbox.com
Cc:
Subject: [spf-help] Kodak, American Greeting, et al.



We are seeing a problem with remailing services that are entirely legitimate
but perhaps not really doing things like we SPFers thinkthey should.

American Greetings send greeting cards from their server with the sender's
e-mail address as the from address and Kodak sends pictures that actually
"belong" to the client from their server with the client's from address.

Both of these are legitimate because the sending person is actually the
person who's e-mail address is being used, butit plays havoc with the SPF
scheme.

Does anyone have a fix for this problem besides educating Kodak, Am.
Greeting and 5000 other legitimate big mailers?

We can't afford to keep grandma from getting pictures of the new baby, or
"Mom" from getting a card from her thoughless son on her birithday. It is
enought to make us turn off SPF checking

Cary Fitch


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com



-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Unfortunately I think it is Kodak that does not even have reverse DNS on
its mail servers.
Some of them have other problems that should be fixed but who are you
going to call at Kodak?

I do the following and I am using the qmail patch, if you are using
something else I do not know what to tell you.
In spfrules I have the following line
include:allowspf.myowndomain.com ip4:63.240.114.0/24

Notice I had to add the ip block for Kodak because there sending mail
servers do not resolve to anything.
Bad practice but Grandma needs the pics so what can you do.

Then I had to add a DNS record for allowspf.myowndomain.com.
I have that below so others can use it.

I also have the following in spfguess which helps a lot....
a/24 mx/24 ptr

;--------- BEGIN DNS RECORD--------------
$TTL 3600
@ IN SOA ns1.myowndomain.com. hostmaster.myowndomain.com. (
2004070700 ; Serial
7200 ; Refresh after 2 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day

IN NS ns1.myowndomain.com.
IN NS ns2.myowndomain.com.
IN NS ns3.myowndomain.com.
@ IN TXT "v=spf1 exists:%{p2}.%{d}"
hallmark.com IN A 127.0.0.2
fedex.com IN A 127.0.0.2
ups.com IN A 127.0.0.2
ebay.com IN A 127.0.0.2
intuit.com IN A 127.0.0.2
shutterfly.com IN A 127.0.0.2
ofoto.com IN A 127.0.0.2
kodak.com IN A 127.0.0.2
photoworks.com IN A 127.0.0.2
americangreetings.com IN A 127.0.0.2
cnn.com IN A 127.0.0.2
;--------- END DNS RECORD--------------

Cary Fitch wrote:

>We are seeing a problem with remailing services that are entirely legitimate
>but perhaps not really doing things like we SPFers thinkthey should.
>
>American Greetings send greeting cards from their server with the sender's
>e-mail address as the from address and Kodak sends pictures that actually
>"belong" to the client from their server with the client's from address.
>
>Both of these are legitimate because the sending person is actually the
>person who's e-mail address is being used, butit plays havoc with the SPF
>scheme.
>
>Does anyone have a fix for this problem besides educating Kodak, Am.
>Greeting and 5000 other legitimate big mailers?
>
>We can't afford to keep grandma from getting pictures of the new baby, or
>"Mom" from getting a card from her thoughless son on her birithday. It is
>enought to make us turn off SPF checking
>
>Cary Fitch
>
>
>-------
>Archives at http://archives.listbox.com/spf-help/current/
>Donate! http://spf.pobox.com/donations.html
>To unsubscribe, change your address, or temporarily deactivate your subscription,
>please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>
>

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Unfortunately I think it is Kodak that does not even have reverse DNS on
its mail servers.
Some of them have other problems that should be fixed but who are you
going to call at Kodak?

I do the following and I am using the qmail patch, if you are using
something else I do not know what to tell you.
In spfrules I have the following line
include:allowspf.myowndomain.com ip4:63.240.114.0/24

Notice I had to add the ip block for Kodak because there sending mail
servers do not resolve to anything.
Bad practice but Grandma needs the pics so what can you do.

Then I had to add a DNS record for allowspf.myowndomain.com.
I have that below so others can use it.

I also have the following in spfguess which helps a lot....
a/24 mx/24 ptr

;--------- BEGIN DNS RECORD--------------
$TTL 3600
@ IN SOA ns1.myowndomain.com. hostmaster.myowndomain.com. (
2004070700 ; Serial
7200 ; Refresh after 2 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day

IN NS ns1.myowndomain.com.
IN NS ns2.myowndomain.com.
IN NS ns3.myowndomain.com.
@ IN TXT "v=spf1 exists:%{p2}.%{d}"
hallmark.com IN A 127.0.0.2
fedex.com IN A 127.0.0.2
ups.com IN A 127.0.0.2
ebay.com IN A 127.0.0.2
intuit.com IN A 127.0.0.2
shutterfly.com IN A 127.0.0.2
ofoto.com IN A 127.0.0.2
kodak.com IN A 127.0.0.2
photoworks.com IN A 127.0.0.2
americangreetings.com IN A 127.0.0.2
cnn.com IN A 127.0.0.2
;--------- END DNS RECORD--------------

Joshua Pyle wrote:

>Well, not sure if this is a viable option, but you may have to change how you are currently sending the cards.
>
>As it stands now, when I get the greeting card, it has the email address of the person who sent it. Of course this breaks the SPF
>but would it be possible to have the from address be a generic amercian greeting card domain? This way, then someone gets the card,
>its not from me@bellsouth.net but rather me-somethingunique@americangreetingcards.com ?
>
>If you can store that unique email address when send, you can act as a relay/forward for when someone replies to the email message
>and just direct the message onto whom sent the card in the first place.
>
>Just a thought.
>
>Josh
>
> -----Original Message-----
> From: Cary Fitch [mailto:sage@usawide.net]
> Sent: Sat 8/28/2004 10:20 AM
> To: spf-help@v2.listbox.com
> Cc:
> Subject: [spf-help] Kodak, American Greeting, et al.
>
>
>
> We are seeing a problem with remailing services that are entirely legitimate
> but perhaps not really doing things like we SPFers thinkthey should.
>
> American Greetings send greeting cards from their server with the sender's
> e-mail address as the from address and Kodak sends pictures that actually
> "belong" to the client from their server with the client's from address.
>
> Both of these are legitimate because the sending person is actually the
> person who's e-mail address is being used, butit plays havoc with the SPF
> scheme.
>
> Does anyone have a fix for this problem besides educating Kodak, Am.
> Greeting and 5000 other legitimate big mailers?
>
> We can't afford to keep grandma from getting pictures of the new baby, or
> "Mom" from getting a card from her thoughless son on her birithday. It is
> enought to make us turn off SPF checking
>
> Cary Fitch
>
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>
>
>
>-------
>Archives at http://archives.listbox.com/spf-help/current/
>Donate! http://spf.pobox.com/donations.html
>To unsubscribe, change your address, or temporarily deactivate your subscription,
>please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>
>

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

> American Greetings send greeting cards from their server with the sender's
> e-mail address as the from address and Kodak sends pictures that actually
> "belong" to the client from their server with the client's from address.
>
> Both of these are legitimate because the sending person is actually the
> person who's e-mail address is being used, butit plays havoc with the SPF
> scheme.

Cary,

Your last sentence above is where the problem lies. For me, as an end user, there is absolutely no way for me to know Kodak, etc's policies regarding authentication. You say "the sending person is actually the person who's email address is being used", but that cannot be for sure. When a greeting card is sent, there is NO verification that the email address belongs to the person typing it.

Regards,
Marc Alaia

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

The companies who do this sort of spoofing are simply in the wrong.
Unfortunately there are an unbelievably large number of large companies who
should know better who do it.

Even when not subverted by a third party, the practice is inappropriate. And
most of the companies which have services that do this do nothing at all to
prevent it being subverted by third-parties.

I file complaints with the company about their practices.

And then I tell my users, "Sorry, the service you are using sends email which
violates acceptable practices." I don't cave in. I also suggest that the user
complain and find an alternative service (if I know of any, I list them).
Finally, I explain that the service they are using would allow someone else to
impersonate mail sent from them. Since adding the final note, not a single user
has complained and many have thanked me.

arley




Please respond to spf-help@v2.listbox.com
|--------------------------------------->
| |
|--------------------------------------->
>---------------------------------------|
| |
>---------------------------------------|
|--------------------------------------->
| To: |
|--------------------------------------->
>---------------------------------------|
| spf-help@v2.listbox.com |
>---------------------------------------|
|--------------------------------------->
| cc: |
|--------------------------------------->
>---------------------------------------|
| |
>---------------------------------------|
|--------------------------------------->
| |
|--------------------------------------->
>---------------------------------------|
| |
>---------------------------------------|
|--------------------------------------->
| Subject: |
|--------------------------------------->
>---------------------------------------|
| Re: [spf-help] Kodak, American |
| Greeting, et al. |
>---------------------------------------|





[IMAGE]
> American Greetings send greeting cards from their server with the sender's
> e-mail address as the from address and Kodak sends pictures that actually
> "belong" to the client from their server with the client's from address.
>
> Both of these are legitimate because the sending person is actually the
> person who's e-mail address is being used, butit plays havoc with the SPF
> scheme.

Cary,

Your last sentence above is where the problem lies.  For me, as an end user,
there is absolutely no way for me to know Kodak, etc's policies regarding
authentication.  You say "the sending person is actually the person who's email
address is being used", but that cannot be for sure.  When a greeting card is
sent, there is NO verification that the email address belongs to the person
typing it.

Regards,
Marc Alaia

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com


(Embedded image moved to file: pic02919.pcx)

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

I wouldn't say its WRONG, it just by SPFs standard, not allowed. I have many customers who want to use a "Forward to a Friend" feature and have the return email address be the person sending the email so the recieving party will know who it came from. Since this is not allowed, we use another method something similiar to the email earlier this morning I wrote.

Josh

-----Original Message-----
From: adealey@omnex.com [mailto:adealey@omnex.com]
Sent: Sat 8/28/2004 12:18 PM
To: spf-help@v2.listbox.com
Cc:
Subject: Re: [spf-help] Kodak, American Greeting, et al.








The companies who do this sort of spoofing are simply in the wrong.
Unfortunately there are an unbelievably large number of large companies who
should know better who do it.

Even when not subverted by a third party, the practice is inappropriate. And
most of the companies which have services that do this do nothing at all to
prevent it being subverted by third-parties.

I file complaints with the company about their practices.

And then I tell my users, "Sorry, the service you are using sends email which
violates acceptable practices." I don't cave in. I also suggest that the user
complain and find an alternative service (if I know of any, I list them).
Finally, I explain that the service they are using would allow someone else to
impersonate mail sent from them. Since adding the final note, not a single user
has complained and many have thanked me.

arley




Please respond to spf-help@v2.listbox.com
|--------------------------------------->
| |
|--------------------------------------->
>---------------------------------------|
| |
>---------------------------------------|
|--------------------------------------->
| To: |
|--------------------------------------->
>---------------------------------------|
| spf-help@v2.listbox.com |
>---------------------------------------|
|--------------------------------------->
| cc: |
|--------------------------------------->
>---------------------------------------|
| |
>---------------------------------------|
|--------------------------------------->
| |
|--------------------------------------->
>---------------------------------------|
| |
>---------------------------------------|
|--------------------------------------->
| Subject: |
|--------------------------------------->
>---------------------------------------|
| Re: [spf-help] Kodak, American |
| Greeting, et al. |
>---------------------------------------|





[IMAGE]
> American Greetings send greeting cards from their server with the sender's
> e-mail address as the from address and Kodak sends pictures that actually
> "belong" to the client from their server with the client's from address.
>
> Both of these are legitimate because the sending person is actually the
> person who's e-mail address is being used, butit plays havoc with the SPF
> scheme.

Cary,

Your last sentence above is where the problem lies. For me, as an end user,
there is absolutely no way for me to know Kodak, etc's policies regarding
authentication. You say "the sending person is actually the person who's email
address is being used", but that cannot be for sure. When a greeting card is
sent, there is NO verification that the email address belongs to the person
typing it.

Regards,
Marc Alaia

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com


(Embedded image moved to file: pic02919.pcx)

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com



-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

I am not sending any cards, Am. Greeting is and Kodak is sending pictures.

I am "ASSuming" the transmission are legitimate, particularly in in the case
of Kodak. The sender is really "Barbara, the baby is really hers, and
Grandma is the intended recipient. :-)

The problem seems to be that Kodak knows a lot more about photography than
e-mail and doesn't even have a lot more e-mail and DNS stuff done right
according to another poster.

But "Barbara" and "Grandma" are both my customers and use the Kodak service.

On a sort term basis we can white list Kodak and other non spammer, but non
compliant mailers, but we can't do that for 20,000 other non compliant
"yahoos".

Another poster said in effect if they behave like spammers then treat them
like spammers. But they aren't behaving like spammers in the sense they are
sending individual emails to known and caring associates. The mail agent is
just using a from address field that SPF uses to validate mail. The
causing sender's actual e-mail address is sausagehead@usawide.net, and the
message is from him, it is just not from our server. :-)

That isn't spam. It is an error in using the address fields, and an issue
only because SPF has been created to inspect the field in a way that has
never been done before.

I don't plan to get into SPF design and practices in this help list, but
perhaps their use MAY be acceptable depending on "What the definition of
FROM is?" (does that sound familiar?) and there should be a certified
white list for legitmate known third party mailers.

Cary Fitch


----- Original Message -----
From: "Joshua Pyle" <jpyle@mansellgroup.com>
To: <spf-help@v2.listbox.com>
Sent: Saturday, August 28, 2004 9:47 AM
Subject: RE: [spf-help] Kodak, American Greeting, et al.


> Well, not sure if this is a viable option, but you may have to change how
you are currently sending the cards.
>
> As it stands now, when I get the greeting card, it has the email address
of the person who sent it. Of course this breaks the SPF
> but would it be possible to have the from address be a generic amercian
greeting card domain? This way, then someone gets the card,
> its not from me@bellsouth.net but rather
me-somethingunique@americangreetingcards.com ?
>
> If you can store that unique email address when send, you can act as a
relay/forward for when someone replies to the email message
> and just direct the message onto whom sent the card in the first place.
>
> Just a thought.
>
> Josh
>
> -----Original Message-----
> From: Cary Fitch [mailto:sage@usawide.net]
> Sent: Sat 8/28/2004 10:20 AM
> To: spf-help@v2.listbox.com
> Cc:
> Subject: [spf-help] Kodak, American Greeting, et al.
>
>
>
> We are seeing a problem with remailing services that are entirely
legitimate
> but perhaps not really doing things like we SPFers thinkthey should.
>
> American Greetings send greeting cards from their server with the sender's
> e-mail address as the from address and Kodak sends pictures that actually
> "belong" to the client from their server with the client's from address.
>
> Both of these are legitimate because the sending person is actually the
> person who's e-mail address is being used, butit plays havoc with the SPF
> scheme.
>
> Does anyone have a fix for this problem besides educating Kodak, Am.
> Greeting and 5000 other legitimate big mailers?
>
> We can't afford to keep grandma from getting pictures of the new baby, or
> "Mom" from getting a card from her thoughless son on her birithday. It is
> enought to make us turn off SPF checking
>
> Cary Fitch
>
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
subscription,
> please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>
>
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
subscription,
> please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

When someone generates email which says it comes from my email domain and yet my
servers have had absolutely nothing to do with it, that is WRONG.

Correct would be to honestly put _their_ domain in the "from" field and their
client's domain in the "reply-to" field.

It is really very simple and clearcut.

In fact, because of the liabilities that might occur, I know at least one major
company whose legal department is preparing lawsuits against remailers who send
mail that appears to come from their domain. I can't blame them.

arley




Please respond to spf-help@v2.listbox.com
|--------------------------------------->
| |
|--------------------------------------->
>---------------------------------------|
| |
>---------------------------------------|
|--------------------------------------->
| To: |
|--------------------------------------->
>---------------------------------------|
| spf-help@v2.listbox.com |
>---------------------------------------|
|--------------------------------------->
| cc: |
|--------------------------------------->
>---------------------------------------|
| |
>---------------------------------------|
|--------------------------------------->
| |
|--------------------------------------->
>---------------------------------------|
| |
>---------------------------------------|
|--------------------------------------->
| Subject: |
|--------------------------------------->
>---------------------------------------|
| RE: [spf-help] Kodak, American |
| Greeting, et al. |
>---------------------------------------|





[IMAGE]
I wouldn't say its WRONG, it just by SPFs standard, not allowed.  I have many
customers who want to use a "Forward to a Friend" feature and have the return
email address be the person sending the email so the recieving party will know
who it came from.  Since this is not allowed, we use another method something
similiar to the email earlier this morning I wrote.

Josh

        -----Original Message-----
       From: adealey@omnex.com [mailto:adealey@omnex.com]
       Sent: Sat 8/28/2004 12:18 PM
       To: spf-help@v2.listbox.com
       Cc:
       Subject: Re: [spf-help] Kodak, American Greeting, et al.








        The companies who do this sort of spoofing are simply in the wrong.
       Unfortunately there are an unbelievably large number of large companies
who
       should know better who do it.

        Even when not subverted by a third party, the practice is inappropriate.
And
       most of the companies which have services that do this do nothing at all
to
       prevent it being subverted by third-parties.

        I file complaints with the company about their practices.

        And then I tell my users, "Sorry, the service you are using sends email
which
       violates acceptable practices." I don't cave in. I also suggest that the
user
       complain and find an alternative service (if I know of any, I list them).
       Finally, I explain that the service they are using would allow someone
else to
       impersonate mail sent from them. Since adding the final note, not a
single user
       has complained and many have thanked me.

        arley




        Please respond to spf-help@v2.listbox.com
       |--------------------------------------->
       |                                       |
       |--------------------------------------->
         >---------------------------------------|
         |                                       |
         >---------------------------------------|
       |--------------------------------------->
       |   To:                                 |
       |--------------------------------------->
         >---------------------------------------|
         |   spf-help@v2.listbox.com             |
         >---------------------------------------|
       |--------------------------------------->
       |   cc:                                 |
       |--------------------------------------->
         >---------------------------------------|
         |                                       |
         >---------------------------------------|
       |--------------------------------------->
       |                                       |
       |--------------------------------------->
         >---------------------------------------|
         |                                       |
         >---------------------------------------|
       |--------------------------------------->
       |   Subject:                            |
       |--------------------------------------->
         >---------------------------------------|
         |   Re: [spf-help] Kodak, American      |
         |   Greeting, et al.                    |
         >---------------------------------------|





        [IMAGE]
       > American Greetings send greeting cards from their server with the
sender's
       > e-mail address as the from address and Kodak sends pictures that
actually
       > "belong" to the client from their server with the client's from
address.
       >
       > Both of these are legitimate because the sending person is actually the
       > person who's e-mail address is being used, butit plays havoc with the
SPF
       > scheme.

        Cary,

        Your last sentence above is where the problem lies.  For me, as an end
user,
       there is absolutely no way for me to know Kodak, etc's policies regarding
       authentication.  You say "the sending person is actually the person who's
email
       address is being used", but that cannot be for sure.  When a greeting
card is
       sent, there is NO verification that the email address belongs to the
person
       typing it.

        Regards,
       Marc Alaia

        -------
       Archives at http://archives.listbox.com/spf-help/current/
       Donate! http://spf.pobox.com/donations.html
       To unsubscribe, change your address, or temporarily deactivate your
       subscription,
       please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com


        (Embedded image moved to file: pic02919.pcx)

        -------
       Archives at http://archives.listbox.com/spf-help/current/
       Donate! http://spf.pobox.com/donations.html
       To unsubscribe, change your address, or temporarily deactivate your
subscription,
       please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com


------- Archives at http://archives.listbox.com/spf-help/current/ Donate!
http://spf.pobox.com/donations.html To unsubscribe, change your address, or
temporarily deactivate your subscription, please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com


(Embedded image moved to file: pic32134.pcx)

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

I would have to disagree Josh, it *is* wrong. The ability to send e-mails
with this kind of false From: or ReplyTo: is *exactly* what is allowing
spammers into the system. Hence the huge attempts to stop it happening. SPF
is a good solution - albeit there are problems with multiple-hop mails and
sub-domains, but solutions to those issuse are coming forward and hope fully
classic SPF with a few modifications will do the whole job.

The fact that Kodak apparently doesn't even have reverse DNS on their
mail-server is indicative of a sloppy outfit, and they need to get their act
together.

Slainte,

JohnP.
johnp@idimo.com
ICQ 313355492




----- Original Message -----
From: "Joshua Pyle" <jpyle@mansellgroup.com>
To: <spf-help@v2.listbox.com>
Sent: Saturday, August 28, 2004 7:14 PM
Subject: RE: [spf-help] Kodak, American Greeting, et al.


> I wouldn't say its WRONG, it just by SPFs standard, not allowed. I have
many customers who want to use a "Forward to a Friend" feature and have the
return email address be the person sending the email so the recieving party
will know who it came from. Since this is not allowed, we use another
method something similiar to the email earlier this morning I wrote.
>
> Josh
>
> -----Original Message-----
> From: adealey@omnex.com [mailto:adealey@omnex.com]
> Sent: Sat 8/28/2004 12:18 PM
> To: spf-help@v2.listbox.com
> Cc:
> Subject: Re: [spf-help] Kodak, American Greeting, et al.
>
>
>
>
>
>
>
>
> The companies who do this sort of spoofing are simply in the wrong.
> Unfortunately there are an unbelievably large number of large companies
who
> should know better who do it.
>
> Even when not subverted by a third party, the practice is inappropriate.
And
> most of the companies which have services that do this do nothing at all
to
> prevent it being subverted by third-parties.
>
> I file complaints with the company about their practices.
>
> And then I tell my users, "Sorry, the service you are using sends email
which
> violates acceptable practices." I don't cave in. I also suggest that the
user
> complain and find an alternative service (if I know of any, I list them).
> Finally, I explain that the service they are using would allow someone
else to
> impersonate mail sent from them. Since adding the final note, not a single
user
> has complained and many have thanked me.
>
> arley
>
>
>
>
> Please respond to spf-help@v2.listbox.com
> |--------------------------------------->
> | |
> |--------------------------------------->
> >---------------------------------------|
> | |
> >---------------------------------------|
> |--------------------------------------->
> | To: |
> |--------------------------------------->
> >---------------------------------------|
> | spf-help@v2.listbox.com |
> >---------------------------------------|
> |--------------------------------------->
> | cc: |
> |--------------------------------------->
> >---------------------------------------|
> | |
> >---------------------------------------|
> |--------------------------------------->
> | |
> |--------------------------------------->
> >---------------------------------------|
> | |
> >---------------------------------------|
> |--------------------------------------->
> | Subject: |
> |--------------------------------------->
> >---------------------------------------|
> | Re: [spf-help] Kodak, American |
> | Greeting, et al. |
> >---------------------------------------|
>
>
>
>
>
> [IMAGE]
> > American Greetings send greeting cards from their server with the
sender's
> > e-mail address as the from address and Kodak sends pictures that
actually
> > "belong" to the client from their server with the client's from address.
> >
> > Both of these are legitimate because the sending person is actually the
> > person who's e-mail address is being used, butit plays havoc with the
SPF
> > scheme.
>
> Cary,
>
> Your last sentence above is where the problem lies. For me, as an end
user,
> there is absolutely no way for me to know Kodak, etc's policies regarding
> authentication. You say "the sending person is actually the person who's
email
> address is being used", but that cannot be for sure. When a greeting card
is
> sent, there is NO verification that the email address belongs to the
person
> typing it.
>
> Regards,
> Marc Alaia
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>
>
> (Embedded image moved to file: pic02919.pcx)
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
subscription,
> please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>
>
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
subscription,
> please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

There is a lot of truth in what you say, but "ovbiously" we should have
required/enabled RDNS checking long ago. RDNS is at least a clear and actual
standard or "RFQ". If they don't have to comply with RDNS, how can we
legitimately suddenly define the exact use of the from field and the
consequences for percieved error?

I am not sure the definition of the From field says it has to come from the
server that is "a" or "the only" server that serves that domain. Given the
loose history of the Internet and e-mail and formerly highly acceptable (and
still legal!) practice of open relays, I strongly suspect that there is no
requirement that the from address be related to the the server that sent the
mail to us.

We as people running a business can do whatever we want including using SPF
or RBLs, but what I am speaking to is a non abusive use of a foreign mail
server for a valid reason. They are providing the/our/their customer a
unique and worthwhile service.

It is the mail addess of the "human" originator, or the address of the role
of the orginator like "postamaster" for instance and if he wants the reply
to go to another address, he can also specify a "reply to" address.

Until someone who cares and is knowledgeable quotes the RFC, I think SPF is
doing an admirable effort, but not directly on target with this issue.

The pictures from daughter sent to grandma, are being sent from the
recognizable address of daughter@mydomain.com so grandma's white list will
accept them no matter what. But SPF is breaking the connection before they
even get sent.

"Houston we have a problem!" (Apollo 13) :-)

And this problem needs to be clarified by the SPF scheme originators and
sponsers.

Cary Fitch


----- Original Message -----
From: "jpinkerton" <johnp@idimo.com>
To: <spf-help@v2.listbox.com>
Sent: Saturday, August 28, 2004 1:54 PM
Subject: Re: [spf-help] Kodak, American Greeting, et al.


> I would have to disagree Josh, it *is* wrong. The ability to send e-mails
> with this kind of false From: or ReplyTo: is *exactly* what is allowing
> spammers into the system. Hence the huge attempts to stop it happening.
SPF
> is a good solution - albeit there are problems with multiple-hop mails and
> sub-domains, but solutions to those issuse are coming forward and hope
fully
> classic SPF with a few modifications will do the whole job.
>
> The fact that Kodak apparently doesn't even have reverse DNS on their
> mail-server is indicative of a sloppy outfit, and they need to get their
act
> together.
>
> Slainte,
>
> JohnP.
> johnp@idimo.com
> ICQ 313355492
>
>
>
>
> ----- Original Message -----
> From: "Joshua Pyle" <jpyle@mansellgroup.com>
> To: <spf-help@v2.listbox.com>
> Sent: Saturday, August 28, 2004 7:14 PM
> Subject: RE: [spf-help] Kodak, American Greeting, et al.
>
>
> > I wouldn't say its WRONG, it just by SPFs standard, not allowed. I have
> many customers who want to use a "Forward to a Friend" feature and have
the
> return email address be the person sending the email so the recieving
party
> will know who it came from. Since this is not allowed, we use another
> method something similiar to the email earlier this morning I wrote.
> >
> > Josh
> >
> > -----Original Message-----
> > From: adealey@omnex.com [mailto:adealey@omnex.com]
> > Sent: Sat 8/28/2004 12:18 PM
> > To: spf-help@v2.listbox.com
> > Cc:
> > Subject: Re: [spf-help] Kodak, American Greeting, et al.
> >
> >
> >
> >
> >
> >
> >
> >
> > The companies who do this sort of spoofing are simply in the wrong.
> > Unfortunately there are an unbelievably large number of large companies
> who
> > should know better who do it.
> >
> > Even when not subverted by a third party, the practice is inappropriate.
> And
> > most of the companies which have services that do this do nothing at all
> to
> > prevent it being subverted by third-parties.
> >
> > I file complaints with the company about their practices.
> >
> > And then I tell my users, "Sorry, the service you are using sends email
> which
> > violates acceptable practices." I don't cave in. I also suggest that the
> user
> > complain and find an alternative service (if I know of any, I list
them).
> > Finally, I explain that the service they are using would allow someone
> else to
> > impersonate mail sent from them. Since adding the final note, not a
single
> user
> > has complained and many have thanked me.
> >
> > arley
> >
> >
> >
> >
> > Please respond to spf-help@v2.listbox.com
> > |--------------------------------------->
> > | |
> > |--------------------------------------->
> > >---------------------------------------|
> > | |
> > >---------------------------------------|
> > |--------------------------------------->
> > | To: |
> > |--------------------------------------->
> > >---------------------------------------|
> > | spf-help@v2.listbox.com |
> > >---------------------------------------|
> > |--------------------------------------->
> > | cc: |
> > |--------------------------------------->
> > >---------------------------------------|
> > | |
> > >---------------------------------------|
> > |--------------------------------------->
> > | |
> > |--------------------------------------->
> > >---------------------------------------|
> > | |
> > >---------------------------------------|
> > |--------------------------------------->
> > | Subject: |
> > |--------------------------------------->
> > >---------------------------------------|
> > | Re: [spf-help] Kodak, American |
> > | Greeting, et al. |
> > >---------------------------------------|
> >
> >
> >
> >
> >
> > [IMAGE]
> > > American Greetings send greeting cards from their server with the
> sender's
> > > e-mail address as the from address and Kodak sends pictures that
> actually
> > > "belong" to the client from their server with the client's from
address.
> > >
> > > Both of these are legitimate because the sending person is actually
the
> > > person who's e-mail address is being used, butit plays havoc with the
> SPF
> > > scheme.
> >
> > Cary,
> >
> > Your last sentence above is where the problem lies. For me, as an end
> user,
> > there is absolutely no way for me to know Kodak, etc's policies
regarding
> > authentication. You say "the sending person is actually the person
who's
> email
> > address is being used", but that cannot be for sure. When a greeting
card
> is
> > sent, there is NO verification that the email address belongs to the
> person
> > typing it.
> >
> > Regards,
> > Marc Alaia
> >
> > -------
> > Archives at http://archives.listbox.com/spf-help/current/
> > Donate! http://spf.pobox.com/donations.html
> > To unsubscribe, change your address, or temporarily deactivate your
> > subscription,
> > please go to
> http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
> >
> >
> > (Embedded image moved to file: pic02919.pcx)
> >
> > -------
> > Archives at http://archives.listbox.com/spf-help/current/
> > Donate! http://spf.pobox.com/donations.html
> > To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> > please go to
> http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
> >
> >
> >
> > -------
> > Archives at http://archives.listbox.com/spf-help/current/
> > Donate! http://spf.pobox.com/donations.html
> > To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> > please go to
> http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
subscription,
> please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

I don't dispute your reasoning, but I would say that it is overly
complicated. The simple solution is for Kodak (or whoever) to send the mail
with a correct ReplyTo: and From: . By doing that grannny has no reason to
reject the mail -- it passes the spf check and it should get past her
spamassassin checks too. The subject could read "From
daughter@daughters-domain.com " and the body could contain a clickable link
for granny to hit in order to send her thanks for the card.

I find it strange that organisations as large as Kodak (and others) need to
be defended in their mis-use of e-mail. Much better to gradually educate
these corporations into a *very* small change in their response set-ups, and
we can leave granny and daughter alone and they will easily find their way
around the slight change in the card format.

SPF and the various other schemes are proceeding towards being a required
standard, and we just have to make sure there is a "fix-it" for all the
perceived problems as we go along. You very rightly raised this one, and I
am merely suggesting the easiest workaround for them which will comply with
all the hopefully-soon standards. Personally - I would reject a card from
Kodak - so don't send me one for Christmas ;-)


Slainte,

JohnP.
johnp@idimo.com
ICQ 313355492





----- Original Message -----
From: "Cary Fitch" <sage@usawide.net>
To: <spf-help@v2.listbox.com>
Sent: Saturday, August 28, 2004 9:33 PM
Subject: Re: [spf-help] Kodak, American Greeting, et al.


> There is a lot of truth in what you say, but "ovbiously" we should have
> required/enabled RDNS checking long ago. RDNS is at least a clear and
actual
> standard or "RFQ". If they don't have to comply with RDNS, how can we
> legitimately suddenly define the exact use of the from field and the
> consequences for percieved error?
>
> I am not sure the definition of the From field says it has to come from
the
> server that is "a" or "the only" server that serves that domain. Given
the
> loose history of the Internet and e-mail and formerly highly acceptable
(and
> still legal!) practice of open relays, I strongly suspect that there is no
> requirement that the from address be related to the the server that sent
the
> mail to us.
>
> We as people running a business can do whatever we want including using
SPF
> or RBLs, but what I am speaking to is a non abusive use of a foreign mail
> server for a valid reason. They are providing the/our/their customer a
> unique and worthwhile service.
>
> It is the mail addess of the "human" originator, or the address of the
role
> of the orginator like "postamaster" for instance and if he wants the
reply
> to go to another address, he can also specify a "reply to" address.
>
> Until someone who cares and is knowledgeable quotes the RFC, I think SPF
is
> doing an admirable effort, but not directly on target with this issue.
>
> The pictures from daughter sent to grandma, are being sent from the
> recognizable address of daughter@mydomain.com so grandma's white list will
> accept them no matter what. But SPF is breaking the connection before
they
> even get sent.
>
> "Houston we have a problem!" (Apollo 13) :-)
>
> And this problem needs to be clarified by the SPF scheme originators and
> sponsers.
>
> Cary Fitch
>
>
> ----- Original Message -----
> From: "jpinkerton" <johnp@idimo.com>
> To: <spf-help@v2.listbox.com>
> Sent: Saturday, August 28, 2004 1:54 PM
> Subject: Re: [spf-help] Kodak, American Greeting, et al.
>
>
> > I would have to disagree Josh, it *is* wrong. The ability to send
e-mails
> > with this kind of false From: or ReplyTo: is *exactly* what is allowing
> > spammers into the system. Hence the huge attempts to stop it happening.
> SPF
> > is a good solution - albeit there are problems with multiple-hop mails
and
> > sub-domains, but solutions to those issuse are coming forward and hope
> fully
> > classic SPF with a few modifications will do the whole job.
> >
> > The fact that Kodak apparently doesn't even have reverse DNS on their
> > mail-server is indicative of a sloppy outfit, and they need to get their
> act
> > together.
> >
> > Slainte,
> >
> > JohnP.
> > johnp@idimo.com
> > ICQ 313355492
> >
> >
> >
> >
> > ----- Original Message -----
> > From: "Joshua Pyle" <jpyle@mansellgroup.com>
> > To: <spf-help@v2.listbox.com>
> > Sent: Saturday, August 28, 2004 7:14 PM
> > Subject: RE: [spf-help] Kodak, American Greeting, et al.
> >
> >
> > > I wouldn't say its WRONG, it just by SPFs standard, not allowed. I
have
> > many customers who want to use a "Forward to a Friend" feature and have
> the
> > return email address be the person sending the email so the recieving
> party
> > will know who it came from. Since this is not allowed, we use another
> > method something similiar to the email earlier this morning I wrote.
> > >
> > > Josh
> > >
> > > -----Original Message-----
> > > From: adealey@omnex.com [mailto:adealey@omnex.com]
> > > Sent: Sat 8/28/2004 12:18 PM
> > > To: spf-help@v2.listbox.com
> > > Cc:
> > > Subject: Re: [spf-help] Kodak, American Greeting, et al.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > The companies who do this sort of spoofing are simply in the wrong.
> > > Unfortunately there are an unbelievably large number of large
companies
> > who
> > > should know better who do it.
> > >
> > > Even when not subverted by a third party, the practice is
inappropriate.
> > And
> > > most of the companies which have services that do this do nothing at
all
> > to
> > > prevent it being subverted by third-parties.
> > >
> > > I file complaints with the company about their practices.
> > >
> > > And then I tell my users, "Sorry, the service you are using sends
email
> > which
> > > violates acceptable practices." I don't cave in. I also suggest that
the
> > user
> > > complain and find an alternative service (if I know of any, I list
> them).
> > > Finally, I explain that the service they are using would allow someone
> > else to
> > > impersonate mail sent from them. Since adding the final note, not a
> single
> > user
> > > has complained and many have thanked me.
> > >
> > > arley
> > >
> > >
> > >
> > >
> > > Please respond to spf-help@v2.listbox.com
> > > |--------------------------------------->
> > > | |
> > > |--------------------------------------->
> > > >---------------------------------------|
> > > | |
> > > >---------------------------------------|
> > > |--------------------------------------->
> > > | To: |
> > > |--------------------------------------->
> > > >---------------------------------------|
> > > | spf-help@v2.listbox.com |
> > > >---------------------------------------|
> > > |--------------------------------------->
> > > | cc: |
> > > |--------------------------------------->
> > > >---------------------------------------|
> > > | |
> > > >---------------------------------------|
> > > |--------------------------------------->
> > > | |
> > > |--------------------------------------->
> > > >---------------------------------------|
> > > | |
> > > >---------------------------------------|
> > > |--------------------------------------->
> > > | Subject: |
> > > |--------------------------------------->
> > > >---------------------------------------|
> > > | Re: [spf-help] Kodak, American |
> > > | Greeting, et al. |
> > > >---------------------------------------|
> > >
> > >
> > >
> > >
> > >
> > > [IMAGE]
> > > > American Greetings send greeting cards from their server with the
> > sender's
> > > > e-mail address as the from address and Kodak sends pictures that
> > actually
> > > > "belong" to the client from their server with the client's from
> address.
> > > >
> > > > Both of these are legitimate because the sending person is actually
> the
> > > > person who's e-mail address is being used, butit plays havoc with
the
> > SPF
> > > > scheme.
> > >
> > > Cary,
> > >
> > > Your last sentence above is where the problem lies. For me, as an end
> > user,
> > > there is absolutely no way for me to know Kodak, etc's policies
> regarding
> > > authentication. You say "the sending person is actually the person
> who's
> > email
> > > address is being used", but that cannot be for sure. When a greeting
> card
> > is
> > > sent, there is NO verification that the email address belongs to the
> > person
> > > typing it.
> > >
> > > Regards,
> > > Marc Alaia
> > >
> > > -------
> > > Archives at http://archives.listbox.com/spf-help/current/
> > > Donate! http://spf.pobox.com/donations.html
> > > To unsubscribe, change your address, or temporarily deactivate your
> > > subscription,
> > > please go to
> > http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
> > >
> > >
> > > (Embedded image moved to file: pic02919.pcx)
> > >
> > > -------
> > > Archives at http://archives.listbox.com/spf-help/current/
> > > Donate! http://spf.pobox.com/donations.html
> > > To unsubscribe, change your address, or temporarily deactivate your
> > subscription,
> > > please go to
> > http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
> > >
> > >
> > >
> > > -------
> > > Archives at http://archives.listbox.com/spf-help/current/
> > > Donate! http://spf.pobox.com/donations.html
> > > To unsubscribe, change your address, or temporarily deactivate your
> > subscription,
> > > please go to
> > http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
> >
> > -------
> > Archives at http://archives.listbox.com/spf-help/current/
> > Donate! http://spf.pobox.com/donations.html
> > To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> > please go to
> http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
subscription,
> please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

> When someone generates email which says it comes from my email domain and yet my
> servers have had absolutely nothing to do with it, that is WRONG.

That is not exactly correct, as far as generalizing for the masses goes. It would be possible and reasonable for a regular user of Kodak to 'give permission' to Kodak in that user's SPF record. I'm not saying that that is going to happen for Citi.com, but I could do it for alaia.net if I wanted. SPF is not about authenticating only your own servers, it can handle much more than that.

>
> Correct would be to honestly put _their_ domain in the "from" field and their
> client's domain in the "reply-to" field.

An alternative would be to generate the email and send it to the requester (a.k.a. Granny) and then the requester would just forward it to whomever they please. That way, it is apparrently and actually from the appropriate person and all transmissions pass SPF checks.

Marc


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

We are in general agreement, it is jsut that I don't think "I" can educate
KODAK, they seem to have been immune to education so far. And, I have the
problem with daughter and granny, and a number is like cases.

Further, I don't know what the RFQs say about the From: address other than I
am sure it should at least refer to either the e-mail address of the puitive
sender (daughter) or the domain of the physical message sender. Ie. either
mydomain. com or kodak.com.

It can't claim to come from Don@DonaldTrump.com.

Cary
----- Original Message -----
From: "jpinkerton" <johnp@idimo.com>
To: <spf-help@v2.listbox.com>
Sent: Saturday, August 28, 2004 3:06 PM
Subject: Re: [spf-help] Kodak, American Greeting, et al.


> I don't dispute your reasoning, but I would say that it is overly
> complicated. The simple solution is for Kodak (or whoever) to send the
mail
> with a correct ReplyTo: and From: . By doing that grannny has no reason
to
> reject the mail -- it passes the spf check and it should get past her
> spamassassin checks too. The subject could read "From
> daughter@daughters-domain.com " and the body could contain a clickable
link
> for granny to hit in order to send her thanks for the card.
>
> I find it strange that organisations as large as Kodak (and others) need
to
> be defended in their mis-use of e-mail. Much better to gradually educate
> these corporations into a *very* small change in their response set-ups,
and
> we can leave granny and daughter alone and they will easily find their way
> around the slight change in the card format.
>
> SPF and the various other schemes are proceeding towards being a required
> standard, and we just have to make sure there is a "fix-it" for all the
> perceived problems as we go along. You very rightly raised this one, and
I
> am merely suggesting the easiest workaround for them which will comply
with
> all the hopefully-soon standards. Personally - I would reject a card from
> Kodak - so don't send me one for Christmas ;-)
>
>
> Slainte,
>
> JohnP.
> johnp@idimo.com
> ICQ 313355492
>
>
>
>
>
> ----- Original Message -----
> From: "Cary Fitch" <sage@usawide.net>
> To: <spf-help@v2.listbox.com>
> Sent: Saturday, August 28, 2004 9:33 PM
> Subject: Re: [spf-help] Kodak, American Greeting, et al.
>
>
> > There is a lot of truth in what you say, but "ovbiously" we should have
> > required/enabled RDNS checking long ago. RDNS is at least a clear and
> actual
> > standard or "RFQ". If they don't have to comply with RDNS, how can we
> > legitimately suddenly define the exact use of the from field and the
> > consequences for percieved error?
> >
> > I am not sure the definition of the From field says it has to come from
> the
> > server that is "a" or "the only" server that serves that domain. Given
> the
> > loose history of the Internet and e-mail and formerly highly acceptable
> (and
> > still legal!) practice of open relays, I strongly suspect that there is
no
> > requirement that the from address be related to the the server that sent
> the
> > mail to us.
> >
> > We as people running a business can do whatever we want including using
> SPF
> > or RBLs, but what I am speaking to is a non abusive use of a foreign
mail
> > server for a valid reason. They are providing the/our/their customer a
> > unique and worthwhile service.
> >
> > It is the mail addess of the "human" originator, or the address of the
> role
> > of the orginator like "postamaster" for instance and if he wants the
> reply
> > to go to another address, he can also specify a "reply to" address.
> >
> > Until someone who cares and is knowledgeable quotes the RFC, I think SPF
> is
> > doing an admirable effort, but not directly on target with this issue.
> >
> > The pictures from daughter sent to grandma, are being sent from the
> > recognizable address of daughter@mydomain.com so grandma's white list
will
> > accept them no matter what. But SPF is breaking the connection before
> they
> > even get sent.
> >
> > "Houston we have a problem!" (Apollo 13) :-)
> >
> > And this problem needs to be clarified by the SPF scheme originators and
> > sponsers.
> >
> > Cary Fitch
> >
> >
> > ----- Original Message -----
> > From: "jpinkerton" <johnp@idimo.com>
> > To: <spf-help@v2.listbox.com>
> > Sent: Saturday, August 28, 2004 1:54 PM
> > Subject: Re: [spf-help] Kodak, American Greeting, et al.
> >
> >
> > > I would have to disagree Josh, it *is* wrong. The ability to send
> e-mails
> > > with this kind of false From: or ReplyTo: is *exactly* what is
allowing
> > > spammers into the system. Hence the huge attempts to stop it
happening.
> > SPF
> > > is a good solution - albeit there are problems with multiple-hop mails
> and
> > > sub-domains, but solutions to those issuse are coming forward and hope
> > fully
> > > classic SPF with a few modifications will do the whole job.
> > >
> > > The fact that Kodak apparently doesn't even have reverse DNS on their
> > > mail-server is indicative of a sloppy outfit, and they need to get
their
> > act
> > > together.
> > >
> > > Slainte,
> > >
> > > JohnP.
> > > johnp@idimo.com
> > > ICQ 313355492
> > >
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Joshua Pyle" <jpyle@mansellgroup.com>
> > > To: <spf-help@v2.listbox.com>
> > > Sent: Saturday, August 28, 2004 7:14 PM
> > > Subject: RE: [spf-help] Kodak, American Greeting, et al.
> > >
> > >
> > > > I wouldn't say its WRONG, it just by SPFs standard, not allowed. I
> have
> > > many customers who want to use a "Forward to a Friend" feature and
have
> > the
> > > return email address be the person sending the email so the recieving
> > party
> > > will know who it came from. Since this is not allowed, we use another
> > > method something similiar to the email earlier this morning I wrote.
> > > >
> > > > Josh
> > > >
> > > > -----Original Message-----
> > > > From: adealey@omnex.com [mailto:adealey@omnex.com]
> > > > Sent: Sat 8/28/2004 12:18 PM
> > > > To: spf-help@v2.listbox.com
> > > > Cc:
> > > > Subject: Re: [spf-help] Kodak, American Greeting, et al.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > The companies who do this sort of spoofing are simply in the wrong.
> > > > Unfortunately there are an unbelievably large number of large
> companies
> > > who
> > > > should know better who do it.
> > > >
> > > > Even when not subverted by a third party, the practice is
> inappropriate.
> > > And
> > > > most of the companies which have services that do this do nothing at
> all
> > > to
> > > > prevent it being subverted by third-parties.
> > > >
> > > > I file complaints with the company about their practices.
> > > >
> > > > And then I tell my users, "Sorry, the service you are using sends
> email
> > > which
> > > > violates acceptable practices." I don't cave in. I also suggest that
> the
> > > user
> > > > complain and find an alternative service (if I know of any, I list
> > them).
> > > > Finally, I explain that the service they are using would allow
someone
> > > else to
> > > > impersonate mail sent from them. Since adding the final note, not a
> > single
> > > user
> > > > has complained and many have thanked me.
> > > >
> > > > arley
> > > >
> > > >
> > > >
> > > >
> > > > Please respond to spf-help@v2.listbox.com
> > > > |--------------------------------------->
> > > > | |
> > > > |--------------------------------------->
> > > > >---------------------------------------|
> > > > | |
> > > > >---------------------------------------|
> > > > |--------------------------------------->
> > > > | To: |
> > > > |--------------------------------------->
> > > > >---------------------------------------|
> > > > | spf-help@v2.listbox.com |
> > > > >---------------------------------------|
> > > > |--------------------------------------->
> > > > | cc: |
> > > > |--------------------------------------->
> > > > >---------------------------------------|
> > > > | |
> > > > >---------------------------------------|
> > > > |--------------------------------------->
> > > > | |
> > > > |--------------------------------------->
> > > > >---------------------------------------|
> > > > | |
> > > > >---------------------------------------|
> > > > |--------------------------------------->
> > > > | Subject: |
> > > > |--------------------------------------->
> > > > >---------------------------------------|
> > > > | Re: [spf-help] Kodak, American |
> > > > | Greeting, et al. |
> > > > >---------------------------------------|
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > [IMAGE]
> > > > > American Greetings send greeting cards from their server with the
> > > sender's
> > > > > e-mail address as the from address and Kodak sends pictures that
> > > actually
> > > > > "belong" to the client from their server with the client's from
> > address.
> > > > >
> > > > > Both of these are legitimate because the sending person is
actually
> > the
> > > > > person who's e-mail address is being used, butit plays havoc with
> the
> > > SPF
> > > > > scheme.
> > > >
> > > > Cary,
> > > >
> > > > Your last sentence above is where the problem lies. For me, as an
end
> > > user,
> > > > there is absolutely no way for me to know Kodak, etc's policies
> > regarding
> > > > authentication. You say "the sending person is actually the person
> > who's
> > > email
> > > > address is being used", but that cannot be for sure. When a
greeting
> > card
> > > is
> > > > sent, there is NO verification that the email address belongs to the
> > > person
> > > > typing it.
> > > >
> > > > Regards,
> > > > Marc Alaia
> > > >
> > > > -------
> > > > Archives at http://archives.listbox.com/spf-help/current/
> > > > Donate! http://spf.pobox.com/donations.html
> > > > To unsubscribe, change your address, or temporarily deactivate your
> > > > subscription,
> > > > please go to
> > > http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
> > > >
> > > >
> > > > (Embedded image moved to file: pic02919.pcx)
> > > >
> > > > -------
> > > > Archives at http://archives.listbox.com/spf-help/current/
> > > > Donate! http://spf.pobox.com/donations.html
> > > > To unsubscribe, change your address, or temporarily deactivate your
> > > subscription,
> > > > please go to
> > > http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
> > > >
> > > >
> > > >
> > > > -------
> > > > Archives at http://archives.listbox.com/spf-help/current/
> > > > Donate! http://spf.pobox.com/donations.html
> > > > To unsubscribe, change your address, or temporarily deactivate your
> > > subscription,
> > > > please go to
> > > http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
> > >
> > > -------
> > > Archives at http://archives.listbox.com/spf-help/current/
> > > Donate! http://spf.pobox.com/donations.html
> > > To unsubscribe, change your address, or temporarily deactivate your
> > subscription,
> > > please go to
> > http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
> >
> >
> > -------
> > Archives at http://archives.listbox.com/spf-help/current/
> > Donate! http://spf.pobox.com/donations.html
> > To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> > please go to
> http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
subscription,
> please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Sat, Aug 28, 2004 at 10:57:51AM -0400, marc@alaia.net wrote:
> > American Greetings send greeting cards from their server with the sender's
> > e-mail address as the from address and Kodak sends pictures that actually
> > "belong" to the client from their server with the client's from address.
> >
> > Both of these are legitimate because the sending person is actually the
> > person who's e-mail address is being used, butit plays havoc with the SPF
> > scheme.
>
> Cary,
>
> Your last sentence above is where the problem lies. For me, as an end user, there is absolutely no way for me to know Kodak, etc's policies regarding authentication. You say "the sending person is actually the person who's email address is being used", but that cannot be for sure. When a greeting card is sent, there is NO verification that the email address belongs to the person typing it.

In the long run this might even turn out to be the newest spam portal
that will be used by spammers if ever the time comes they cannot spoof
our domains anymore. They would send generic baby pictures around with
the caption 'The baby is finally there, we used vi@grA and he gO-t it up
and WE DID IT!'

:)

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

I wouldn't worry about educating the likes of Kodak, they will make the
adjustment as soon as the standard is agreed and implemented. When they
come to us all anxious and asking for help -- *then* we can tell them "Yes -
we saw your usage methods and the problems caused, and here is the fix."



Slainte,

JohnP.
johnp@idimo.com
ICQ 313355492




----- Original Message -----
From: "Cary Fitch" <sage@usawide.net>
To: <spf-help@v2.listbox.com>
Sent: Saturday, August 28, 2004 11:04 PM
Subject: Re: [spf-help] Kodak, American Greeting, et al.


> We are in general agreement, it is jsut that I don't think "I" can educate
> KODAK, they seem to have been immune to education so far. And, I have the
> problem with daughter and granny, and a number is like cases.
>
> Further, I don't know what the RFQs say about the From: address other than
I
> am sure it should at least refer to either the e-mail address of the
puitive
> sender (daughter) or the domain of the physical message sender. Ie.
either
> mydomain. com or kodak.com.
>
> It can't claim to come from Don@DonaldTrump.com.
>
> Cary
> ----- Original Message -----
> From: "jpinkerton" <johnp@idimo.com>
> To: <spf-help@v2.listbox.com>
> Sent: Saturday, August 28, 2004 3:06 PM
> Subject: Re: [spf-help] Kodak, American Greeting, et al.
>
>
> > I don't dispute your reasoning, but I would say that it is overly
> > complicated. The simple solution is for Kodak (or whoever) to send the
> mail
> > with a correct ReplyTo: and From: . By doing that grannny has no
reason
> to
> > reject the mail -- it passes the spf check and it should get past her
> > spamassassin checks too. The subject could read "From
> > daughter@daughters-domain.com " and the body could contain a clickable
> link
> > for granny to hit in order to send her thanks for the card.
> >
> > I find it strange that organisations as large as Kodak (and others) need
> to
> > be defended in their mis-use of e-mail. Much better to gradually
educate
> > these corporations into a *very* small change in their response set-ups,
> and
> > we can leave granny and daughter alone and they will easily find their
way
> > around the slight change in the card format.
> >
> > SPF and the various other schemes are proceeding towards being a
required
> > standard, and we just have to make sure there is a "fix-it" for all the
> > perceived problems as we go along. You very rightly raised this one,
and
> I
> > am merely suggesting the easiest workaround for them which will comply
> with
> > all the hopefully-soon standards. Personally - I would reject a card
from
> > Kodak - so don't send me one for Christmas ;-)
> >
> >
> > Slainte,
> >
> > JohnP.
> > johnp@idimo.com
> > ICQ 313355492
> >
> >
> >
> >
> >
> > ----- Original Message -----
> > From: "Cary Fitch" <sage@usawide.net>
> > To: <spf-help@v2.listbox.com>
> > Sent: Saturday, August 28, 2004 9:33 PM
> > Subject: Re: [spf-help] Kodak, American Greeting, et al.
> >
> >
> > > There is a lot of truth in what you say, but "ovbiously" we should
have
> > > required/enabled RDNS checking long ago. RDNS is at least a clear and
> > actual
> > > standard or "RFQ". If they don't have to comply with RDNS, how can we
> > > legitimately suddenly define the exact use of the from field and the
> > > consequences for percieved error?
> > >
> > > I am not sure the definition of the From field says it has to come
from
> > the
> > > server that is "a" or "the only" server that serves that domain.
Given
> > the
> > > loose history of the Internet and e-mail and formerly highly
acceptable
> > (and
> > > still legal!) practice of open relays, I strongly suspect that there
is
> no
> > > requirement that the from address be related to the the server that
sent
> > the
> > > mail to us.
> > >
> > > We as people running a business can do whatever we want including
using
> > SPF
> > > or RBLs, but what I am speaking to is a non abusive use of a foreign
> mail
> > > server for a valid reason. They are providing the/our/their customer
a
> > > unique and worthwhile service.
> > >
> > > It is the mail addess of the "human" originator, or the address of the
> > role
> > > of the orginator like "postamaster" for instance and if he wants the
> > reply
> > > to go to another address, he can also specify a "reply to" address.
> > >
> > > Until someone who cares and is knowledgeable quotes the RFC, I think
SPF
> > is
> > > doing an admirable effort, but not directly on target with this issue.
> > >
> > > The pictures from daughter sent to grandma, are being sent from the
> > > recognizable address of daughter@mydomain.com so grandma's white list
> will
> > > accept them no matter what. But SPF is breaking the connection before
> > they
> > > even get sent.
> > >
> > > "Houston we have a problem!" (Apollo 13) :-)
> > >
> > > And this problem needs to be clarified by the SPF scheme originators
and
> > > sponsers.
> > >
> > > Cary Fitch
> > >
> > >
> > > ----- Original Message -----
> > > From: "jpinkerton" <johnp@idimo.com>
> > > To: <spf-help@v2.listbox.com>
> > > Sent: Saturday, August 28, 2004 1:54 PM
> > > Subject: Re: [spf-help] Kodak, American Greeting, et al.
> > >
> > >
> > > > I would have to disagree Josh, it *is* wrong. The ability to send
> > e-mails
> > > > with this kind of false From: or ReplyTo: is *exactly* what is
> allowing
> > > > spammers into the system. Hence the huge attempts to stop it
> happening.
> > > SPF
> > > > is a good solution - albeit there are problems with multiple-hop
mails
> > and
> > > > sub-domains, but solutions to those issuse are coming forward and
hope
> > > fully
> > > > classic SPF with a few modifications will do the whole job.
> > > >
> > > > The fact that Kodak apparently doesn't even have reverse DNS on
their
> > > > mail-server is indicative of a sloppy outfit, and they need to get
> their
> > > act
> > > > together.
> > > >
> > > > Slainte,
> > > >
> > > > JohnP.
> > > > johnp@idimo.com
> > > > ICQ 313355492
> > > >
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Joshua Pyle" <jpyle@mansellgroup.com>
> > > > To: <spf-help@v2.listbox.com>
> > > > Sent: Saturday, August 28, 2004 7:14 PM
> > > > Subject: RE: [spf-help] Kodak, American Greeting, et al.
> > > >
> > > >
> > > > > I wouldn't say its WRONG, it just by SPFs standard, not allowed.
I
> > have
> > > > many customers who want to use a "Forward to a Friend" feature and
> have
> > > the
> > > > return email address be the person sending the email so the
recieving
> > > party
> > > > will know who it came from. Since this is not allowed, we use
another
> > > > method something similiar to the email earlier this morning I wrote.
> > > > >
> > > > > Josh
> > > > >
> > > > > -----Original Message-----
> > > > > From: adealey@omnex.com [mailto:adealey@omnex.com]
> > > > > Sent: Sat 8/28/2004 12:18 PM
> > > > > To: spf-help@v2.listbox.com
> > > > > Cc:
> > > > > Subject: Re: [spf-help] Kodak, American Greeting, et al.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > The companies who do this sort of spoofing are simply in the
wrong.
> > > > > Unfortunately there are an unbelievably large number of large
> > companies
> > > > who
> > > > > should know better who do it.
> > > > >
> > > > > Even when not subverted by a third party, the practice is
> > inappropriate.
> > > > And
> > > > > most of the companies which have services that do this do nothing
at
> > all
> > > > to
> > > > > prevent it being subverted by third-parties.
> > > > >
> > > > > I file complaints with the company about their practices.
> > > > >
> > > > > And then I tell my users, "Sorry, the service you are using sends
> > email
> > > > which
> > > > > violates acceptable practices." I don't cave in. I also suggest
that
> > the
> > > > user
> > > > > complain and find an alternative service (if I know of any, I list
> > > them).
> > > > > Finally, I explain that the service they are using would allow
> someone
> > > > else to
> > > > > impersonate mail sent from them. Since adding the final note, not
a
> > > single
> > > > user
> > > > > has complained and many have thanked me.
> > > > >
> > > > > arley
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Please respond to spf-help@v2.listbox.com
> > > > > |--------------------------------------->
> > > > > | |
> > > > > |--------------------------------------->
> > > > > >---------------------------------------|
> > > > > | |
> > > > > >---------------------------------------|
> > > > > |--------------------------------------->
> > > > > | To: |
> > > > > |--------------------------------------->
> > > > > >---------------------------------------|
> > > > > | spf-help@v2.listbox.com |
> > > > > >---------------------------------------|
> > > > > |--------------------------------------->
> > > > > | cc: |
> > > > > |--------------------------------------->
> > > > > >---------------------------------------|
> > > > > | |
> > > > > >---------------------------------------|
> > > > > |--------------------------------------->
> > > > > | |
> > > > > |--------------------------------------->
> > > > > >---------------------------------------|
> > > > > | |
> > > > > >---------------------------------------|
> > > > > |--------------------------------------->
> > > > > | Subject: |
> > > > > |--------------------------------------->
> > > > > >---------------------------------------|
> > > > > | Re: [spf-help] Kodak, American |
> > > > > | Greeting, et al. |
> > > > > >---------------------------------------|
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > [IMAGE]
> > > > > > American Greetings send greeting cards from their server with
the
> > > > sender's
> > > > > > e-mail address as the from address and Kodak sends pictures that
> > > > actually
> > > > > > "belong" to the client from their server with the client's from
> > > address.
> > > > > >
> > > > > > Both of these are legitimate because the sending person is
> actually
> > > the
> > > > > > person who's e-mail address is being used, butit plays havoc
with
> > the
> > > > SPF
> > > > > > scheme.
> > > > >
> > > > > Cary,
> > > > >
> > > > > Your last sentence above is where the problem lies. For me, as an
> end
> > > > user,
> > > > > there is absolutely no way for me to know Kodak, etc's policies
> > > regarding
> > > > > authentication. You say "the sending person is actually the
person
> > > who's
> > > > email
> > > > > address is being used", but that cannot be for sure. When a
> greeting
> > > card
> > > > is
> > > > > sent, there is NO verification that the email address belongs to
the
> > > > person
> > > > > typing it.
> > > > >
> > > > > Regards,
> > > > > Marc Alaia
> > > > >
> > > > > -------
> > > > > Archives at http://archives.listbox.com/spf-help/current/
> > > > > Donate! http://spf.pobox.com/donations.html
> > > > > To unsubscribe, change your address, or temporarily deactivate
your
> > > > > subscription,
> > > > > please go to
> > > > http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
> > > > >
> > > > >
> > > > > (Embedded image moved to file: pic02919.pcx)
> > > > >
> > > > > -------
> > > > > Archives at http://archives.listbox.com/spf-help/current/
> > > > > Donate! http://spf.pobox.com/donations.html
> > > > > To unsubscribe, change your address, or temporarily deactivate
your
> > > > subscription,
> > > > > please go to
> > > > http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
> > > > >
> > > > >
> > > > >
> > > > > -------
> > > > > Archives at http://archives.listbox.com/spf-help/current/
> > > > > Donate! http://spf.pobox.com/donations.html
> > > > > To unsubscribe, change your address, or temporarily deactivate
your
> > > > subscription,
> > > > > please go to
> > > > http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
> > > >
> > > > -------
> > > > Archives at http://archives.listbox.com/spf-help/current/
> > > > Donate! http://spf.pobox.com/donations.html
> > > > To unsubscribe, change your address, or temporarily deactivate your
> > > subscription,
> > > > please go to
> > > http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
> > >
> > >
> > > -------
> > > Archives at http://archives.listbox.com/spf-help/current/
> > > Donate! http://spf.pobox.com/donations.html
> > > To unsubscribe, change your address, or temporarily deactivate your
> > subscription,
> > > please go to
> > http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
> >
> > -------
> > Archives at http://archives.listbox.com/spf-help/current/
> > Donate! http://spf.pobox.com/donations.html
> > To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> > please go to
> http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
> >
>
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
subscription,
> please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

> I strongly suspect that there is no
> requirement that the from address be related to the the server that sent
> the mail to us.

That's certainly the case on the servers I've just tested, which would
*appear* to give us a simple solution to the dilemna (I'm no SPF expert,
so this could all be disastrously wrong) :-

- Kodak et al. should send email with an envelope address that belongs to
them. This should get them round the SPF check.

- They should set the From: address to the originator of the
image/whatever. This should leave the recipient to see the address of
their trusted relative despite the envelope being from someone very
different.

Discuss ;-)

> We as people running a business can do whatever we want including using
> SPF
> or RBLs, but what I am speaking to is a non abusive use of a foreign mail
> server for a valid reason.

I strongly disagree. This is abusive!

When one of my users sends mail from my server, that mail goes through a
number of hoops before it is transmitted. They are my hoops - I've put
them in place deliberately, and I would be more than upset should someone
try to circumvent them.

Any other server forging my domain name is circumventing my controls and
therefore putting my reputation at risk - whether or not one of my users
wanted that to happen or not. It's my server, my rules, my responsibility.
I wish to retain control over my reputation...

> They are providing the/our/their customer a unique and worthwhile service.

Perhaps - but that doesn't entitle them to impersonate my server.

Vic.

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

----- Original Message -----
From: "Vic" <vic@yellowside.org.uk>
To: <spf-help@v2.listbox.com>
Sent: Sunday, August 29, 2004 9:57 AM
Subject: Re: [spf-help] Kodak, American Greeting, et al.


> - Kodak et al. should send email with an envelope address that belongs to
> them. This should get them round the SPF check.

Agreed... and I don't know why they aren't, but they (and 100,000's of
others) don't do reverse DNS either, and so many people don't do things
right that we need a system that works on its own data, not depending other
people to do things "right".

They probaly don't have a clue on this if they don't run SPF themselves, and
SPF is miniscule in numbers compared to servers on the net today.

> - They should set the From: address to the originator of the
> image/whatever. This should leave the recipient to see the address of
> their trusted relative despite the envelope being from someone very
> different.
>
> Discuss ;-)

Agreed, but see above.


> > We as people running a business can do whatever we want including using
> > SPF
> > or RBLs, but what I am speaking to is a non abusive use of a foreign
mail
> > server for a valid reason.
>
> I strongly disagree. This is abusive!

I don't think so, the message originator daughter@xxxxxx.net is just a poor
uneducated customer and she thinks the address is hers. It is a little like
phone numbers. Used to they belonged to the phone company. Now they belong
to the user and they can take them with them. Maybe the facts aren't
exactly the same, but the user may have a strong feeling that they can and
SHOULD send mail from their recognizable address anytime, anywhere.


> When one of my users sends mail from my server, that mail goes through a
> number of hoops before it is transmitted. They are my hoops - I've put
> them in place deliberately, and I would be more than upset should someone
> try to circumvent them.
>
> Any other server forging my domain name is circumventing my controls and
> therefore putting my reputation at risk - whether or not one of my users
> wanted that to happen or not. It's my server, my rules, my responsibility.
> I wish to retain control over my reputation...

Perhaps this is true... if the envelope should say "kodak" and it says
"yourdomain" then that is wrong, but it is probably a totally innocent
error, because nobody ever cared before this.

> > They are providing the/our/their customer a unique and worthwhile
service.
>
> Perhaps - but that doesn't entitle them to impersonate my server.
>
> Vic.


Cary


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Whats sad is they can at least capture the IP address and they should
put a note that the dns name that this came from was XX. This doesn't do
them a lot of good as people may be anywhere (kiosk, work etc) and use
their home or some free email service.

-----Original Message-----
From: owner-spf-help@v2.listbox.com
[mailto:owner-spf-help@v2.listbox.com] On Behalf Of Cary Fitch
Sent: Sunday, August 29, 2004 12:21 PM
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] Kodak, American Greeting, et al.


----- Original Message -----
From: "Vic" <vic@yellowside.org.uk>
To: <spf-help@v2.listbox.com>
Sent: Sunday, August 29, 2004 9:57 AM
Subject: Re: [spf-help] Kodak, American Greeting, et al.


> - Kodak et al. should send email with an envelope address that
belongs to
> them. This should get them round the SPF check.

Agreed... and I don't know why they aren't, but they (and 100,000's of
others) don't do reverse DNS either, and so many people don't do things
right that we need a system that works on its own data, not depending
other
people to do things "right".

They probaly don't have a clue on this if they don't run SPF themselves,
and
SPF is miniscule in numbers compared to servers on the net today.

> - They should set the From: address to the originator of the
> image/whatever. This should leave the recipient to see the address of
> their trusted relative despite the envelope being from someone very
> different.
>
> Discuss ;-)

Agreed, but see above.


> > We as people running a business can do whatever we want including
using
> > SPF
> > or RBLs, but what I am speaking to is a non abusive use of a foreign
mail
> > server for a valid reason.
>
> I strongly disagree. This is abusive!

I don't think so, the message originator daughter@xxxxxx.net is just a
poor
uneducated customer and she thinks the address is hers. It is a little
like
phone numbers. Used to they belonged to the phone company. Now they
belong
to the user and they can take them with them. Maybe the facts aren't
exactly the same, but the user may have a strong feeling that they can
and
SHOULD send mail from their recognizable address anytime, anywhere.


> When one of my users sends mail from my server, that mail goes through
a
> number of hoops before it is transmitted. They are my hoops - I've put
> them in place deliberately, and I would be more than upset should
someone
> try to circumvent them.
>
> Any other server forging my domain name is circumventing my controls
and
> therefore putting my reputation at risk - whether or not one of my
users
> wanted that to happen or not. It's my server, my rules, my
responsibility.
> I wish to retain control over my reputation...

Perhaps this is true... if the envelope should say "kodak" and it says
"yourdomain" then that is wrong, but it is probably a totally innocent
error, because nobody ever cared before this.

> > They are providing the/our/their customer a unique and worthwhile
service.
>
> Perhaps - but that doesn't entitle them to impersonate my server.
>
> Vic.


Cary


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com


--------------------------------------------------------------------------------
This email is intended only for the named recipents. All email is monitored and archived for compliance requirements.
The views or context in this message may not reflect the view or context of the company.
--------------------------------------------------------------------------------



-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

----- Original Message -----
From: <marc@alaia.net>
To: <spf-help@v2.listbox.com>
Sent: Saturday, August 28, 2004 10:57 AM
Subject: Re: [spf-help] Kodak, American Greeting, et al.


> > American Greetings send greeting cards from their server with the
sender's
> > e-mail address as the from address and Kodak sends pictures that
actually
> > "belong" to the client from their server with the client's from address.
> >
> > Both of these are legitimate because the sending person is actually the
> > person who's e-mail address is being used, butit plays havoc with the
SPF
> > scheme.
>
> Cary,
>
> Your last sentence above is where the problem lies. For me, as an end
user, there is absolutely no way for me to know Kodak, etc's policies
regarding authentication. You say "the sending person is actually the
person who's email address is being used", but that cannot be for sure.
When a greeting card is sent, there is NO verification that the email
address belongs to the person typing it.
>
> Regards,
> Marc Alaia

It usually is. The ratio of spm to ham for them is quite low.

Not that this is not an error in the "From:" line, or in the "Reply-To:"
line which is what they should really be using to include the sender's email
address. What they are doing is including the sender's email sending source
in the "FROM" transaction, in order that bounces to the message go to the
sender instead of winding up in the mail queues at Kodak.

Kodak needs to implement SRS, which is easily looked up at spf.pobox.com.

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

At 23:48 +0200 28.08.2004, Koen Martens wrote:
>In the long run this might even turn out to be the newest spam portal
>that will be used by spammers if ever the time comes they cannot spoof
>our domains anymore. They would send generic baby pictures around with
>the caption 'The baby is finally there, we used vi@grA and he gO-t it up
>and WE DID IT!'

I've seen occasional "You have received a greetings card from ..."
spams. I haven't ever bothered to open any of them (I ignore these
damn things when they come from people that I do know as well; if
they have anything to say to me, they can mail me direct), so I don't
know if these are:

a. Spam domains masquerading as greetings card services
b. Greetings card services advertising themselves by spam
c. Spammers exploiting 'legitimate' greetings card services

I think there's a fair amount of (a) already going on: a Brazilian
spammer has me in his sights, and hardly a day goes by without me
getting four or five messages whose subject reads "Voci recebeu um
lovelycard" or variations on that theme.

The barrier to (c) will be the relative difficulty of pumping out
mass spam through a greetings card service. Most of them will only
allow the spammer to send to one address at a time. Even if the
spammer could automate the procedure, if the technique ever becomes
widespread then the greetings card service could just 'throttle' them
- only allow one posting per IP every minute, which would probably
reduce the sending rate to below the threshold of usefulness for
spammers. The greetings card services could also potentially
implement a CAPTCHA scheme to keep out the bots, but I suspect that
they will be reluctant to hold up another hoop for their
not-too-techno-savvy users to jump through.

Angus

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com