-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of David
Sent: April 13, 2004 3:00 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] first spf-enabled spam
Hi !!
As someone who runs a couple of mailservers (which I'm sure
makes me
an average subscriber to this list), receiving a mail with
an SPF pass
lets me relax my spam checking, reducing the chance I'll
get a false
positive.
that's what we were doing, but we relized that there is
people publishing spf records that allow a entire hackeable
dsl/cable zone to send mail from a given domain, regardless
of the real existence of a real mailer in such this computers.
And if said cable ISP allows only their own servers in the SPF record, then
someone can hack those DSL/cable computers, and then connect from there to
the ISP's SMTP server and still spoof the cable ISP's domain. No way to
avoid that unless the ISP requires SMTP AUTH (which is rare), and even then,
a clever hacker could probably obtain the hacked person's login info
somehow...