Hello!
On Mon, Nov 22, 2004 at 10:12:41AM -0600, Bruce Barnes wrote:
We're missing the point here, people.
The issue is to eliminate as much SPAM and PHISHING as possible and this
WILL require some radical steps to implement. If that means forcing people
to upgrade software - which it WILL - then so be it!
SPF isn't intended to eliminate spam, as many here explicitly stated.
It's only there to reduce *envelope* sender forgeries. So phishing
(no need to shout btw) isn't prevented either, as usual MUAs only
display header from (2822, not 2821), a few other headers (usually *not*
Return-Path) and the body of the mail. So SPF will not prevent me from
mailing this:
MAIL FROM: <phisher(_at_)somewhere(_dot_)example>
RCPT TO: <victim...>
DATA
From: technical_staff(_at_)your_favourite_bank(_dot_)example
To: victim...
Subject: Technical Problems with Online Banking
Hello!
We have problems with our online banking. Until services return to
normal, please use
https://www.yourfavourite_bank.example/temporary_banking/
[NOTE: Mind the missed '_'!]
for urgent banking needs.
We'll notify you when the normal services are back up.
Kind regards,
Technician
My MAIL FROM validates (because it's on my domain and I control SPF for
this). The From and web site forgery (which is the main problem point)
isn't checked by spf at all.
So preventing phishing is something even more difficult that preventing
spam.
And my example would work even a bit better with HTML mail, of course.
[...]
Kind regards,
Hannah.