ietf-asrg
[Top] [All Lists]

Re: [Asrg] Unintended consequence of SPF

2006-03-16 14:45:56
At 8:41 AM -0800 3/16/06, ajv-oarybolive(_at_)vsta(_dot_)org wrote:
---------------
Hi,

I just attempted to put in a work request for my Sirius radio subscription,
via their web site.  Whaddya know, I got an E-mail bounce back from them.
Turns out that Sirius uses electric.net behind the scenes, and your web
submission turns into an E-mail submission with a From: which is filled in
to look like a request from your own E-mail address.

A bad practice. One that is extremely common, but which has always been lazy and unwise, even before SPF and even before spam was a significant problem.

It also turns out that electric.net uses SPF, and it looks at that From:
address, asks my vsta.org where E-mail can come from, and bounces the
(internally generated) E-mail.

This is not an SPF side-effect, it is as "too stupid to run any service involving mail" side effect.

Thank god the bounce came back to me,
otherwise it would've been just another black hole customer service
scenario.

Word is going to have to get out that spoofing From addresses--even for
internal purposes--is a Bad Idea.  At least in an SPF-ish kind of world.

We do not now and are likely never to live in an SPF-ish kind of world.

That said, SPF is known to have those sorts of issues: it makes various types of stupidity fragile and also breaks generally workable tricks like transparent forwarding that are commonplace and accepted but are not consistent with the SPF world-view.

It is not really accurate to all that sort of breakage an unintended consequence, since the people who defined SPF as it is today were fully aware of the sorts of behaviors that SPF is inconsistent with.

--
Bill Cole
bill(_at_)scconsult(_dot_)com


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg