spf-discuss
[Top] [All Lists]

an other approach for SPF

2004-08-03 03:38:14
Hello,

Our domain is grenoble.cnrs.fr (147.173.x.x) and we wish to secure our mails exchanges.
So for testing purpose, the following TXT record was added on our DNS:
grenoble.cnrs.fr IN TXT "v=spf1 a -all"

Here are 2 logs we have when making tests :

--- start 1st log ---

>From root(_at_)grenoble(_dot_)cnrs(_dot_)fr  Tue Jul 27 17:47:25 2004
Return-Path: <root(_at_)grenoble(_dot_)cnrs(_dot_)fr>
Received: from labs.grenoble.cnrs.fr (labs.grenoble.cnrs.fr [147.173.1.26])
          by vigie.grenoble.cnrs.fr (8.12.11/jtpda-5.4) with ESMTP id
i6RFlPfe024948
for <gueniche(_at_)vigie(_dot_)grenoble(_dot_)cnrs(_dot_)fr>; Tue, 27 Jul 2004 17:47:25 +0200
Received: (from root(_at_)localhost)
       by labs.grenoble.cnrs.fr (8.12.10/8.12.5/Submit) id i6RFlXxR026713
       for gueniche(_at_)vigie(_dot_)grenoble(_dot_)cnrs(_dot_)fr; Tue, 27 Jul 
2004 17:47:33 +0200
Date: Tue, 27 Jul 2004 17:47:33 +0200
From: root <root(_at_)grenoble(_dot_)cnrs(_dot_)fr>
Message-Id: 
<200407271547(_dot_)i6RFlXxR026713(_at_)labs(_dot_)grenoble(_dot_)cnrs(_dot_)fr>
To: gueniche(_at_)vigie(_dot_)grenoble(_dot_)cnrs(_dot_)fr
Subject: test from labs machine
Received-SPF: pass (vigie.grenoble.cnrs.fr: domain of 
root(_at_)grenoble(_dot_)cnrs(_dot_)fr
designates 147.173.1.26 as permitted sender)

--- end 1st log ---

'vigie.grenoble.cnrs.fr' (147.173.3.28), is a Linux machine acting (for the test) as a
mail server (running sendmail + SPF).
'labs.grenoble.cnrs.fr' (147.173.3.26), is the only authorisated host to send mails.

OK here all's right:
-> 'Received-SPF' was added in mail header, result is 'pass' as e-mail was send from
  147.173.1.26
=> grenoble.cnrs.fr is protected against spoofing

--- start 2nd log ---

>From john(_dot_)smith(_at_)some(_dot_)domain(_dot_)org  Tue Jul 27 17:52:19 
2004
Return-Path: <john(_dot_)smith(_at_)some(_dot_)domain(_dot_)org>
Received: from vigie (reflector.grenoble.cnrs.fr [147.173.3.39])
by vigie.grenoble.cnrs.fr (8.12.11/jtpda-5.4) with SMTP id i6RFpnDH025114 for <gueniche(_at_)vigie(_dot_)grenoble(_dot_)cnrs(_dot_)fr>; Tue, 27 Jul 2004 17:52:14 +0200
Date: Tue, 27 Jul 2004 17:51:49 +0200
From: john(_dot_)smith(_at_)some(_dot_)domain(_dot_)org
Message-Id: 
<200407271552(_dot_)i6RFpnDH025114(_at_)vigie(_dot_)grenoble(_dot_)cnrs(_dot_)fr>
Subject: Natural weight loss product
Received-SPF: none (vigie.grenoble.cnrs.fr: domain of john(_dot_)smith(_at_)some(_dot_)domain(_dot_)org does not designate permitted sender hosts)

--- end 2nd log ---

Here is the log of an e-mail (SPAM) we've made (forged) from a linux box, named
reflector.grenoble.cnrs.fr (147.173.3.39). This mail pretends to come from
john(_dot_)smith(_at_)some(_dot_)domain(_dot_)org(_dot_)

For me this seems to be bad because a mail from a non-existing domain is alway accepted (because no TXT record). So, real "john(_dot_)smith(_at_)some(_dot_)domain(_dot_)org" will be insulted by
automatic anti-spams softwares.

Since SPF have seen e-mail was send from 147.173.3.39, it can deduce from reverse DNS request that this address belong to grenoble.cnrs.fr and thus if it's one of the authorizedsenders for this domain.

By asking the spoofed domain of the fake e-mail address we pretend coming from, SPF realizes a good domain anti-spoofing, but I think that SPF do more by ALSO relying
on SMTP sender IP address. Then :
.mail forged will be rejected -> less spams received
.john.smith will not be insulted -> we don't participate to effects of forged mails

Could SPF propose this option ?
What do you think of that idea ?

Thank in advance and regards,
daniel



<Prev in Thread] Current Thread [Next in Thread>