Hello,
Daniel Gueniche wrote:
Our domain is grenoble.cnrs.fr (147.173.x.x) and we wish to secure our
mails exchanges.
So for testing purpose, the following TXT record was added on our DNS:
grenoble.cnrs.fr IN TXT "v=spf1 a -all"
Here are 2 logs we have when making tests :
--- start 1st log ---
...
--- start 2nd log ---
>From john(_dot_)smith(_at_)some(_dot_)domain(_dot_)org Tue Jul 27 17:52:19
2004
Return-Path: <john(_dot_)smith(_at_)some(_dot_)domain(_dot_)org>
Received: from vigie (reflector.grenoble.cnrs.fr [147.173.3.39])
by vigie.grenoble.cnrs.fr (8.12.11/jtpda-5.4) with SMTP id
i6RFpnDH025114
for <gueniche(_at_)vigie(_dot_)grenoble(_dot_)cnrs(_dot_)fr>; Tue, 27 Jul 2004
17:52:14 +0200
Date: Tue, 27 Jul 2004 17:51:49 +0200
From: john(_dot_)smith(_at_)some(_dot_)domain(_dot_)org
Message-Id:
<200407271552(_dot_)i6RFpnDH025114(_at_)vigie(_dot_)grenoble(_dot_)cnrs(_dot_)fr>
Subject: Natural weight loss product
Received-SPF: none (vigie.grenoble.cnrs.fr: domain of
john(_dot_)smith(_at_)some(_dot_)domain(_dot_)org does not designate permitted sender hosts)
--- end 2nd log ---
Here is the log of an e-mail (SPAM) we've made (forged) from a linux
box, named
reflector.grenoble.cnrs.fr (147.173.3.39). This mail pretends to come from
john(_dot_)smith(_at_)some(_dot_)domain(_dot_)org(_dot_)
For me this seems to be bad because a mail from a non-existing domain is
alway accepted
(because no TXT record). So, real "john(_dot_)smith(_at_)some(_dot_)domain(_dot_)org" will be
insulted by
automatic anti-spams softwares.
The solution for this is (a) not to accept mail from domains with no A/AAAA/MX
records (i.e. domains not valid for mail - most MTAs do this correctly "out of
the box"), and (b) for domains that *do* exist to publish SPF records.
john(_dot_)smith(_at_)some(_dot_)domain(_dot_)org will only be insulted by anti-spam software if (a)
some.domain.org is a domain that actually exists, (b) john.smith is a valid
user at that domain, and (c) the anti-spam software is sufficiently broken to
bounce the message instead of rejecting it during the SMTP dialogue.
Since SPF have seen e-mail was send from 147.173.3.39, it can deduce
from reverse DNS
request that this address belong to grenoble.cnrs.fr and thus if it's
one of the authorizedsenders for this domain.
No, your SPF record uses the "A" mechanism, which is nothing to do with
reverse DNS. The authorised senders for your domain are the IP addresses
returned by doing a forward DNS lookup of grenoble.cnrs.fr (i.e. 147.173.1.26).
By asking the spoofed domain of the fake e-mail address we pretend
coming from,
SPF realizes a good domain anti-spoofing, but I think that SPF do more
by ALSO relying
on SMTP sender IP address. Then :
.mail forged will be rejected -> less spams received
.john.smith will not be insulted -> we don't participate to effects of
forged mails
Could SPF propose this option ?
What do you think of that idea ?
I don't understand what you are proposing. Could you give an example?
Paul.