spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Spoofed Return-Path FWIW

2004-03-18 15:14:38
from [Greg Cirino - Cirelle Enterprises] [Permanent Link] 
Earlier this week, there was a discussion about which
header to use as the sender address MAIL FROM (Return-Path
on my MTA ) or the FROM.

Based on that discussion and Greg Connor's suggestion
and wayne's clarification of header fields and spoofing (along
with revisiting the RFCs 822,2821,2822) I had made the  appropriate
modifications to my filter which exctracts the header information 
and started to use the Return-Path as the sender for spfquery.

 In my setup I found, when the Return-Path is spoofed, it appears
to break the SPF check and consistantly produces a FAIL.

Also because my mailer is behind a mailwall, I don't get the original
helo/ehlo by the time the filter gets to the mail, so I found it necessary
to provide the required -helo command with the properly formatted
ip of the sender (bypassing the localhost or bobsmachine type
of helo/ehlo). 

So far spfquery has been operating as I expect it to.

I did modify sqfquery somewhat to use the $passfail response
suplemented by the $guess response.

I currently return:
0 - pass
1 - neutral
2 - none
3 - error
4 - error
5 - softfail
6 - fail

since the $guess response seems to produce pass, neutral
I chose to reduce the $passfail score by 1 if the $guess is a pass.

( a fail/neutral still fails, a fail/pass drops to softfail, a pass/pass 
remains 0)

I did this because I have a bunch of domains where the owners
send mail using their domain name but send via their cable provider
and I didn't want their mail failing by creating an spf record on our
DNS.

I add headers X-SPF... for the spfquery args and the score returned
which gets processed by a third filter with rules looking for the new
headers.

So far it appears to work and still testing.


Regards
Greg Cirino
___________________________________
Cirelle Enterprises Inc.
603-425-2221
www.cirelle.com Website Design
www.cirelle.net ProSpeed High Speed Dial-up - 5 Times Faster
www.cedata.com Web, FTP, Email Hosting Services
www.mlsbot.com MLS IDX Services

When You Want It Done Well, Just Call Cirelle
It's not just a Rhyme... There's a Reason!
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Spoofed Return-Path FWIW, Greg Cirino - Cirelle Enterprises <=
Previous by Date:  SRS and secondary MX, Stuart D. Gathman
Next by Date:  The IETF working group that will discuss SPF was approved, wayne
Previous by Thread:  SRS and secondary MX, Stuart D. Gathman
Next by Thread:  The IETF working group that will discuss SPF was approved, wayne
Indexes:  [Date] [Thread] [Top] [All Lists]