On 2/27/2013 7:57 AM, Tim Draegen wrote:
On Feb 27, 2013, at 7:42 AM, Dave Crocker <[email protected]> wrote:
If the usage was authorized by the customers, it wasn't spoofing.
Agreed!
This isn't a minor nit-picking about wording. Using a label that
has the semantic of abuse, for an action that is entirely
legitimate, continues to confuse discussion about actual abuse.
Considering the domain under discussion is using DMARC with a
p=reject policy, we're left in a situation where the domain owner is
clearly stating that unauthorized use of the domain is disallowed.
We're actually left with a number of alternative possibilities. Three
of them are: a) the domain usage is unauthorized, and 2) Paypal has a
configuration error, and 3) Paypal has a policy error. No doubt there
are more possibilities.
By saying 'spoofing' the entire topic is vectored toward a lack of
authorization, which I strongly suspect is the least likely possibility
in this case.
While most serious workers deep into DMARC, etc., really do know what
they do and do not mean, when they use the word spoofing, this field is
filled with folk whose involvement is far more casual, nevermind the
folk who are farther out on the periphery (likes reporters.) We need to
use language that doesn't mislead.[*]
Because PayPal is using the domain anyway, that puts them into the
bucket of "abuser", their practice is "spoofing", and "actual abuse"
is a subjective term.
d/
[*] It would also be nice if CEOs of abuse-related startups didn't claim
that "simply" having had SMTP do (some sort of undefined) authorization
would have prevented abuse... ahem!
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
