spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Sender forwarding

2004-04-21 16:33:26
from [Seth Goodman] [Permanent Link] 
From: Stuart D. Gathman
Sent: Wednesday, April 21, 2004 5:53 PM


I have heard it stated several times on this list that legitimate
forwarding is set up by the receiver - and therefore the receiver should
be able to whitelist the forwarder.  I have just run into an SPF false
positive where the sender initiated forwarding.


<...>


What we would like is for the hospital mail service to implement SRS, and
forward any bounces to the original from address.  The bounce came from
postmaster(_at_)chi-hasco-001(_dot_)frymulti(_dot_)com if anyone wants to try 
some
evangelism.


That would work, but it defeats the goal of SPF that the envelope-from is
accurate.  If the hospital implements SRS and creates an SRS return-path
that embeds the senders home email address, they are making an assertion
that they cannot really make.  Rewriting a return-path into SRS format
asserts that a domain is forwarding a message upon which they did SRS checks
when they received it, therefore, they assert the original return-path was
valid.  Since the hospital is not forwarding a message and is trusting that
the user gives them an email address that they have the right to use, the
hospital is taking responsibility for a foreign address in the return-path
that they can't verify.  SRS signing an outgoing message with a local
return-path, on the other hand, is fine because the local MSA presumably
authenticated you.

While parents of newborns are very unlikely to lie about their email
address, it does point to another general problem with SPF+SRS:  it can't
properly verify users wishing to claim foreign From: and return-path
addresses.  Sorry for the SES evangelism, but I will point out that SES can
handle this case gracefully.  The user would have to enter their hash secret
(home domain password) along with their email address.  The application at
the hospital would create an SES signed return path and the hospital MSA
would do a CBV to the user's home domain MX to verify that the user has
rights to claim that From: address and return-path.  If it passes, the
hospital MSA can _then_ rewrite the message as if it were forwarding.  Since
they user's domain MX vouched for the user's right to use that return-path,
they have assurance they are embedding an email address that the user has
the right to use in the return-path.  This accomplishes what you originally
wanted without the possibility of the hospital unknowingly committing
forgery.

--

Seth Goodman
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: related to "mxout": a 3-step antispam rule that stops zombie spam, Mark
Next by Date:  Re: related to "mxout": a 3-step antispam rule that stops zombie spam, Theo Van Dinter
Previous by Thread:  Re: Sender forwarding, Alan Hodgson
Next by Thread:  Re: Sender forwarding, spf
Indexes:  [Date] [Thread] [Top] [All Lists]