Serious question aimed at helping propogate SPF to personal domains:
My question below boils down to: "is there a syntax for SPF (possibly the macro
language?) which enables "-all" to be excluded from only some address of a
domain?"
A common form of e-mail forgery used by spammers is to find domains that have a
mailbox for *(_at_)domain by taking each domain in their mailing list and
either attempting to send email to and/or from random(_at_)domain(_dot_) The
"from" case is forgery which can not be detected by anti-spam which detect
non-existent addresses. The "to" case is probing for existent addresses, which
can then also be used as "from" addresses in hopes of bypassing the
recipient(_at_)domain's whitelist.
Obviously this can be indentified by SPF, but *only* if "-all" is present in
the SPF DNS record. My question is there a syntax for SPF (possibly the macro
language?) which enables "-all" to be excluded from only some address of a
domain?
This is important in my opinion due to confluence of four factors:
(1) It could possibly help speed adoption by possibly millions of domain owners
(do not know if millions have wildcard mailboxes though) if the owners of such
domains can stop the wildcard forgery with a simple DNS change, without having
to take the "next step" (*see below) to insure they are supporting "-all" on
their valid (desired) addresses.
(2) I predict this form of forgery could become more common once the forgery of
major domains becomes less effective due to SPF (and other domain-targetted
anti-forgery proposals).
(3) Obviously a similar result could be accomplished by bouncing all but valid
(desired) addresses, but such an SPF macro might be a more efficient way and
thus speed adoption of SPF "-all". Also the SPF way could stop the forgery
earlier in the SMTP chain.
(4) In this proposed capacity, the SPF DNS record would be acting more like
forgery black or whitelist, and it would be portable because in this scenario
the domain owner never expects to send unforged email from the address range
under the "-all" restriction, so it really would not matter too much which IP
was designed by the record (could even have a null IP option, i.e. meaning
blacklist).
* Note, where "next step" incurs *potential* for false positive risk due to the
necessity to properly configure and use SMTP AUTH (client and server),
set/maintain correct IP records in the SPF DNS, and the human error prone
discipline of where to type an email address, which I outlined in a (now
closed) debate about SPF vs. SenderKeys:
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200408/0632.html
-Shelby Moore
http://AccuSpam.com