On Wed, Jul 28, 2004 at 04:23:11PM +1000, Terje Petersen wrote:
|
| And if when there is a SUBMITTER parameter you no longer test the
| validity of the BOUNCE address then isn't that just another loophole to
| allow denial of service attacks.
|
| For instance a virus sends itself as follows:-
|
| MAIL FROM:<bill(_at_)microsoft(_dot_)com>
| SUBMITTER=<infectedsucker(_at_)xyz(_dot_)com>
| RCPT TO:<random(_dot_)address(_at_)somewhere(_dot_)com>
|
| The SUBMITTER address may pass the SPF check but down the track all the
| non deliverable mail all bounces back to poor old bill.
|
| You seem to be giving up one of the prime benefits of SPF classic.
|
If SUBMITTER appears on your whitelist, then you are
infectedsucker(_at_)xyz(_dot_)com, and can presumably do something
about it.
If SUBMITTER does not appear on your whitelist, then you can
reject the message even if the SPF check passes.