spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SPF is not usable as legal measure against spammers.

2004-07-14 09:48:54
from [John Keown] [Permanent Link] 
That is correct but in order to relay through our server the other domain
must pass our test as a closed secure mta and smtp authentication both their
users and the mta.

The only hack is then one of the hacker getting access to the user's email
address and password and spamming that way. But a good mta will restrict the
number of messages per unit time from an individual user and thus make it
impractable to spam.



----- Original Message ----- 
From: "Paul Howarth" <paul(_at_)city-fan(_dot_)org>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Wednesday, July 14, 2004 12:35 PM
Subject: Re: [spf-discuss] SPF is not usable as legal measure against
spammers.



John Keown wrote:

That is why and where smtp authentication comes into play. With smtp
authentication the hijacker cannot authenticate and therefore cannot

send

from example.com return address.


That depends on the nature of the vulnerability exploited by the spammer.

For instance, consider http://dsbl.org/message?17970980

In this example, a Yahoo! customer set up a mail server (Proxy+) on

his/her

own machine, which was configured to connect to Yahoo!'s SMTP mail relays,
authenticate to that relay as the customer and then relay out the mail.
Unfortunately the Yahoo! customer did not secure their own mail server, so
they became the input point of a two-stage open relay. That got the Yahoo!
mail server listed on dsbl.org's multihop relay list, and in fact it is

still

listed there today.

Now in this case a look at the headers shows fairly clearly what happened,

so

the blame clearly lies with the Yahoo! customer and not with Yahoo!
themselves, nor with any other example.com that might also be trying to

relay

mail through the Yahoo! mail servers. However, someone not familiar with
reading headers might blame the purported sender, particularly if the SPF
check passed. And it's quite conceivable that other systems might not log
quite as much useful information in the headers to show what had happened.

Regards, Paul.

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Send us money!  http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your

subscription,

please go to

http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SPF is not usable as legal measure against spammers., Jonathan Gardner
Next by Date:  Re: SPF is not usable as legal measure against spammers., Paul Howarth
Previous by Thread:  Re: SPF is not usable as legal measure against spammers., Paul Howarth
Next by Thread:  Re: SPF is not usable as legal measure against spammers., Paul Howarth
Indexes:  [Date] [Thread] [Top] [All Lists]