In <20040129234631(_dot_)GQ7601(_at_)dumbo(_dot_)pobox(_dot_)com> Meng Weng
Wong <mengwong(_at_)dumbo(_dot_)pobox(_dot_)com> writes:
But if we check the envelope sender here is what spammers will do:
(whether or not we also check the headers)
Return-Path: spf-ignorant(_at_)example(_dot_)com (this is the envelope
sender)
Resent-Sender: spf-ignorant(_at_)example(_dot_)com
Resent-From: joe(_at_)foo(_dot_)com
Sender: joe(_at_)foo(_dot_)com
From: joe(_at_)foo(_dot_)com
The message would be accepted by the border MTA because example.com has
no SPF records; it would bounce off an overquota mailbox; and it would
bounce back to spf-ignorant(_at_)example(_dot_)com(_dot_)
That's also a joe-job, only this time it's not against foo.com, but
against example.com. The spammers won't forge foo.com because foo.com
has SPF records. (No, really, foo.com actually does. Go check.)
The term "joe-job" used to mean only the use of forging email with the
malicous intent to cause harm to the person who owns the email, rather
than just hiding the true identity of the true sender.
For example, spammers who forge email using random addresses, some of
which happen to be "spamcop.net" isn't creating a joe-job. On the
other hand, there have been many times that a spammer would create a
mass mailing that said something to the effect of "if you don't pay
spamcop money, we will list you on our blacklist and force you off the
net.". That is a joe-job.
I'm afraid that the original meaning of the term "joe-job" has been
lost, much like the original meaning of "hacker".
Ok, that said, the above example is still going to cause problems for
both spf-ignorant(_at_)example(_dot_)com and joe(_at_)foo(_dot_)com(_dot_)
People will send
complaints to abuse(_at_)foo(_dot_)com, the will badmouth foo.com to their
friends, etc.
This is why we must check the envelope.
Yes. Very much agreed. We *must* check the envelope-from. We can
then use that checking to help solve the problems of header forgeries.
If we check only the headers and not the envelope, you can only avoid a
joe-job by not sending bounce messages at all! Do we want that?
Nope, we don't want that. (Or, at least, I don't want that.)
And even then it would be real hard for the end-user to distinguish
between these four cases:
"Here's a message from my friend Jack, sent from hallmark.com, to me."
"Here's a message from my friend Jack, sent from some random greeting
card site that I don't know about --- fhqwhgads.com --- to me."
"Here's a message from service(_at_)paypal(_dot_)com, sent through my
forwarding
service pobox.com, to me."
"Here's a message from service(_at_)paypal(_dot_)com, sent through some
forwarding
service I don't know about --- fhqwhgads.com --- to me."
Three of them are legitimate. One of them is spam. Can you tell which?
This is too ambigiousto answer. Only the third one looks to me to be
legitimate in most cases, but only if I have actually solicited email
from paypal.com.
-wayne
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡