On Wed, 15 Sep 2004, Seth Goodman wrote:
You're not overlooking anything. Forgery of direct delivery email (MTA=>MDA
without no intermediate hosts) is generally discovered by SPF, assuming the
SPF record of the sender is adequate. This simply forces those who want to
perpetrate joe-jobs to pose as forwarders at throw-away domains with proper
SPF records. They can use SRS or SUBMITTER and the message will be accepted
by most recipients despite a bogus originating domain (joe-job) claimed in
the return-path. Neither SRS nor SUBMITTER can stop this for one simple
Accepting forwards from any domain with an SPF record seems like a bad
policy on the receivers part. A more reasonable policy would be to accept
forwards only from forwarders trusted to supply a correct Received-SPF
header.
The usual objection is that large mail providers have no application in
place to allow their millions of users to designate forwarders. I am
suggesting that such an application would be very helpful. Forwarders
need to be authenticated too.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.