spf-discuss
[Top] [All Lists]

'explain' etiquette, or is this a security concern?

2004-04-20 06:15:21
smtpd-policy.pl-1.04 produced the following log entries:

,----[ identities on the logging system obfuscated ]
Apr 19 02:08:38 xxxx postfix/policy-spf[28379]: : SPF fail:
  smtp_comment=This site uses SPF to help reduce email forgery; see
  http://spf.pobox.com, header_comment=xxxx: domain of
  Jorssen(_at_)chepelov(_dot_)org does not designate 66.47.207.236 as permitted
  sender

Apr 19 02:08:38 xxxx postfix/policy-spf[28379]: handler
  sender_permitted_from: REJECT This site uses SPF to help reduce email
  forgery; see http://spf.pobox.com

Apr 19 02:08:38 xxxx postfix/policy-spf[28379]: handler
  sender_permitted_from: REJECT This site uses SPF to help reduce email
  forgery; see http://spf.pobox.com is decisive.

Apr 19 02:08:38 xxxx postfix/policy-spf[28379]: decided action=REJECT
  This site uses SPF to help reduce email forgery; see
  http://spf.pobox.com

Apr 19 02:08:38 xxxx postfix/smtpd[28372]: NOQUEUE: reject: RCPT from
  user-112vjvc.biz.mindspring.com[66.47.207.236]: 554
  <user(_at_)example(_dot_)com>: Recipient address rejected: This site uses SPF
  to help reduce email forgery; see http://spf.pobox.com;
  from=<Jorssen(_at_)chepelov(_dot_)org> to=<user(_at_)example(_dot_)com> 
proto=SMTP
  helo=<aar.alcatel-alsthom.fr> 
`----

The SPF record was presumably something like the following:

,----[ dig +short chepelov.org. txt ]
"v=spf1 ptr ip6:2001:7a8:29d4:/48 -all exp=explain._spf.%{d}"
`----

Since the SMTP response was, I believe, merely (ending at the first
semicolon in the NOQUEUE log entry):

        554 <user(_at_)example(_dot_)com>: Recipient address rejected: This site
        uses SPF to help reduce email forgery

It seems with the ambiguous "This site" that chepelov.org feels a need
to put words in the mouth of example.com.  What might we be caused to
be saying next?

More generally, do we really want to make a SMTP reply containing text
From a source not under our control?  This could contain malicious or
slanderous material and thereby become a security concern.

        jam