I agree BATV is wrong concept and that Message-ID signing is the way to go for ASSP.
I was assuming your concern for following the draft was if you were implementing it as a feature in V2 or something that I did not know about, if not then ignore all previous comment about adding the tag on outgoing. I have no interest in BATV feature either except it is adversely affecting my email server. I think I have not explained the issue I am seeing very well. In simple terms I have a LARGE number of (legitimate) clients/suppliers whose email servers envelope sender has a malformed BATV tag. This causes ASSP to not recognise them as otherwise whitelisted. These are not bounce messages but actual regular email messages. I don't see any reason for ASSP to be strict in stripping out BATV tags for the purposes of checking if the envelope sender is on the whitelist or not. There would be no advantage to a spammer in adding a malformed BATV tag as it is the <user @ domain> component that is whitelisted and if a spammer knows that they will get the email through anyway. As such being strict about whether a BATV tag is correct or not for the purposes of checking against the whitelist only harms the user and adds no spam prevention value. Hopefully this is clearer? PS: All of the malformed tags I have seen still at least follow prvs=<some tag value>= but often have 3 digits at the start instead of 4, or a 5 character hash instead of 6 so "prvs=.*=" or "prvs=\d+\w+=" or similar work fine but "prvs=\d\d\d\d\w{6}=" will of course fail to strip out the tags and then ASSP treats the sender as not whitelisted even if they are. John. Some examples below just in the past month... prvs=154507940=user at csiro.au prvs=497c69323=user at sick.com.au prvs=183223242=user at oakleighcentre.org prvs=1883d2545=user at mackayrubber.com.au prvs=1936878be=user at ap.jll.com prvs=20372b8ee=user at nord.com prvs=2077c0d5c=user at portofmelbourne.com prvs=0219cf1c9c=user at neighbourhood.com.au -----Original Message----- From: Thomas Eckardt [mailto:thomas.ecka...@thockar.com] Sent: Friday, 23 May 2014 5:18 AM To: For Users of ASSP Subject: Re: [Assp-user] FW: FW: V14141 BATV is a wrong concept. Use the Message-ID signing. This works hidden and perfect. Thomas Von: "John Calvi" <webform...@lewis.com.au> An: <assp-user@lists.sourceforge.net> Datum: 22.05.2014 09:20 Betreff: [Assp-user] FW: FW: V14141 I certainly don't want to whitelist malformed BATV tags, refer below. The draft is not very strict, BUT I agree ASSP should follow the draft convention for PRVS for its own BATV validation purposes, but it need NOT be strict about stripping other mail servers PRVS implementations out for whitelisting purposes. Eg. If I email thomas.ecka...@thockar.com (with auto whitelisting and BATV PRVS enables) then ASSP should whitelist thomas.ecka...@yourdomain.com and send the email from prvs=1234abcdef=jcalvi@ <mailto:prvs=1234abcdef=jca...@mydomain.com%20> mydomain.com as per the draft. If you then try to reply to me with your server that implements PRVS not exactly as per the draft, eg prvs=1234abcde=thomas.ecka...@yourdomain.com <mailto:prvs=1234abcde=thomas.ecka...@yourdomain.com%20> instead of eg prvs=1234abcdef=thomas.ecka...@yourdomain.com <mailto:prvs=1234abcdef=thomas.ecka...@yourdomain.com%20> then my ASSP server should still recognise that it is you replying and that you were whitelisted. Hope this makes sense. I am seeing these tags from very legitimate users at large multinational companies, Eg NORD.COM, CSIRO.AU, SICK.COM.AU etc. John. ---------------------------------------------------------------------------- -- "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user