On Tue, 3 Aug 2004, Paul Howarth wrote:
By asking the spoofed domain of the fake e-mail address we pretend coming
from, SPF realizes a good domain anti-spoofing, but I think that SPF do
more by ALSO relying on SMTP sender IP address. Then : .mail forged will be
rejected -> less spams received .john.smith will not be insulted -> we
don't participate to effects of forged mails
Could SPF propose this option ?
What do you think of that idea ?
I don't understand what you are proposing. Could you give an example?
He is proposing, in the absence of an SPF record for MAIL FROM, that
the SPF record for the largest parent domain of the PTR CNAME with
SPF be applied.
There are several problems with this, but let me suggest that the "best
guess" solution works better. That is, when there is no SPF record
for a domain, pretend that it has "v=spf1 a/24 mx/24 ptr ?all".
I also recommend having SPF checkers that you control consult a local
DNS database of surrogate SPF records. This allows you to whitelist/blacklist
domains with great flexibility as the need arises.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.