ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

TECH-OMISSION: billing.victim.com is possible

2004-08-23 16:35:16
from [Daniel Quinlan] [Permanent Link] 

Since Sender-ID is defined to be using the domain (RHS) of the email
address, all a spammer/phisher needs to do is fake their email to come
from "billing.victim.com" or some other undefined host.  Then, no
Sender-ID record will be defined.  No Sender-ID record is possibly
preferrable to a spammer/phisher to an SPF failure for "victim.com" or
an SPF pass for one of their own domains.

It may be sufficient to state that an implementation MAY fail or
softfail in check_host() domain if no SPF2, MX, or A record exists.

I don't think wildcards are a full solution, but they can be used as a
flawed workaround in some situations for this issue.  This is a plus in
the column for wildcards, I think (section 2.1.7 in -protocol).

-- 
Daniel Quinlan
http://www.pathname.com/~quinlan/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  DEPLOY: TXT vs. SPF2 queries in -protocol, Daniel Quinlan
Next by Date:  DOC-BUG: an example for "neutral" would be good in -protocol, Daniel Quinlan
Previous by Thread:  DEPLOY: TXT vs. SPF2 queries in -protocol, Daniel Quinlan
Next by Thread:  Re: TECH-OMISSION: billing.victim.com is possible, Stephane Bortzmeyer
Indexes:  [Date] [Thread] [Top] [All Lists]