spf-discuss
[Top] [All Lists]

RE: SPF-compliant phishing?

2004-09-15 13:31:19
On Wed, 15 Sep 2004, Seth Goodman wrote:

You're not overlooking anything.  Forgery of direct delivery email (MTA=>MDA
without no intermediate hosts) is generally discovered by SPF, assuming the
SPF record of the sender is adequate.  This simply forces those who want to
perpetrate joe-jobs to pose as forwarders at throw-away domains with proper
SPF records.  They can use SRS or SUBMITTER and the message will be accepted
by most recipients despite a bogus originating domain (joe-job) claimed in
the return-path.  Neither SRS nor SUBMITTER can stop this for one simple

Accepting forwards from any domain with an SPF record seems like a bad
policy on the receivers part.  A more reasonable policy would be to accept
forwards only from forwarders trusted to supply a correct Received-SPF
header.

The usual objection is that large mail providers have no application in
place to allow their millions of users to designate forwarders.  I am
suggesting that such an application would be very helpful.  Forwarders
need to be authenticated too.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


<Prev in Thread] Current Thread [Next in Thread>