On Saturday, January 28, 2012 01:09:40 PM Alessandro Vesely wrote: > On 26/Jan/12 01:28, Scott Kitterman wrote: > > On Wednesday, January 25, 2012 04:08:35 PM Murray S. Kucherawy wrote: > >>>> How does the domain owner receive reports of others trying to use > >>>> the > >>>> domain to send mail? If the domain owner has said via the SPF > >>>> record > >>>> that the domain doesn't send mail, I would be highly surprised if > >>>> the > >>>> domain owner has configured anything to accept mail at that > >>>> domain. > >>> > >>> If he wants to get the reports, he'd better. > >> > >> Do we need to call out this (somewhat obvious) situation in the draft? > > > > I hope we don't need to say that if you ask for reports you aren't going > > to get them unless you configure your system to accept them. > > Derek's concern seems legitimate to me. Although John's note may seem > obvious, let me recall that SPF is rather weak at checking helo names > because of a very similar reason. We are demanding too much diligence > from domain admins, for a task they can achieve more easily by tracing > an included exists mechanism.
Why is SPF 'weak' at checking HELO names? I think I misunderstand something about the premise of your statement. What diligence are we asking for that is too much? > On the other hand, dkim-reporting has an rd= tag that makes such > flexibility possible. What is the use case where rd= is different > than d=? Why cannot we have the following for spf-reporting? I missed that we still had that in the DKIM draft and I've sent a note regarding changing that as well. I think it's better to keep the reports being sent back to the relevant domain (SPF domain as defined in check_host() or d= domain for DKIM) and let them make arrangements to relay them elsewhere if needed than to allow these messages to be sent to arbitrary domains that may not be expecting them. Here's the security consideration we retired when we changed it to work the way it is now: "6.2. Reports From Unrelated Domains SPF records can be used by other domains via include mechanisms and redirect modifiers. If reporting addresses included in these records are specified with a full addr-spec then reports for other, potentially unrelated, domains may be reported to this address. In theory, malicious senders might use this as a path for generating large numbers of feedback reports. To mitigate this issue, specify reporting addresses with a local-part so that reports will be directed to the original domain from which the message causing the feedback report was sent." I think this was a good change and the DKIM draft should be changed similarly. Scott K _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
