spf-discuss
[Top] [All Lists]

Re: change of version string

2004-08-07 13:46:41
Graham Murray wrote:

The problem comes from MTAs which do *not* perform the SPF
test. The spammer could include a "Received-SPF: pass" in
the SPAM email.

Yes, that's bitter.  But users behind a MX doing no classic /
unified / whatever tests are always lost, unless they know
exactly how to extract the sending IP from Received: headers.

That's a trick where even SpamCop uses mechanisms like "send
test mails to all MX, and let the user return these mails to
SC for automatical analysis".

So, it would have to be mandatory for MTAs to remove any
pre-existing Received-SPF: header(s)

Changing all MX / MDAs by decree won't work, otherwise we could
simply implement a FUSSP, and forget classic / unified SPF. :-(

I am afraid that I do not see that happening any time soon.

Yes.  But MX / MDAs doing unified / Sender-Id checks (instead
of simple classic SPF tests) also won't happen any time soon.

The new MUAs still want to display a "PRA".  Without the SPF
PASS result they can at least find an address matching the
MAIL FROM (Return-Path).  Then the only problem is the header

| Received-SPF: PASS etc.

Who inserted it, the spammer or the MX / MDA ?  Mail accounts
are normally configured.  Users already have to enter their
address, smart host, POP3 / IMAP host, passwords, etc.  They
could also configure SPF yes / no / auto-detect.  Where auto-
detect could send a test-mail to their own address (that part
won't work everywhere, but e.g. Outlook has a test function)

Sender-Id proposes to display a "PRA" in the MUA.  If Sender-Id
can do it, then SPF classic + header analysis can do it too.
Otherwise I'd like to know what Sender-Id MUAs really do to
display a "PRA" with SPF test result.

draft-ietf-marid-core-02.txt doesn't explain this in 7.5:

| When displaying a received message, an MUA SHOULD display the
| purported responsible address as defined by this document
| whenever that address differs from the RFC 2822 From address.
| This display SHOULD be in addition to the RFC 2822 From
| address.

Okay, display one of Resent-From / ... / Sender if available,
priorities and conflicts defined by the Sender-Id algorithm.
That's the "PRA" (or in rare cases a collection of candidates).

But the MUA doesn't know the result of the SPF-Test for this
"PRA".  It could even be FAIL, in your example of a MX / MDA
which never actually did any SPF test.

So what do you do with a collection of PRA candidates in a MUA
without the SPF test result ?  It's again the green blinking
flag with onmouseover text "MARID says that phred phisher is
a PRA, and maybe your ISP tested it.  CAVEAT: avoid bad ISPs
where you can't look into the mailer log-files".  Oops... ;-)

                          Bye. Frank