spf-discuss
[Top] [All Lists]

Re: first spf-enabled spam

2004-04-12 18:19:23
David (david(_at_)ols(_dot_)es) wrote:

this is not a matter of interfering the user's connectivity, they are
just saying that any of their users could forge the isp own domain email
addresses, in fact, any zoombie or hacked computer in their cable zone
would be able to forge the isp staff addresses without any problem and
this forgeries will be trusted by other isp's using spf, a totally *BIG*
security hole.

I disagree.

Before SPF, someone in Libya or Singapore could forge blueyonder e-mail
addresses in both MAIL FROM and From: with impunity.

With SPF, only blueyonder customers can forge the MAIL FROM.  Of course,
anyone can still forge the From:.

This is an improvement.  Not a huge one, granted, but it's certainly *not*
a "totally *BIG* security hole".

Remember, there are other tools out there besides SPF.  They're meant to
be used together.  Just because a message passes the SPF check doesn't
automatically mean it's a Message From God That You Have To Read.

-- 
Greg Wooledge                  |   "Truth belongs to everybody."
greg(_at_)wooledge(_dot_)org              |    - The Red Hot Chili Peppers
http://wooledge.org/~greg/     |