On Mon, 22 Nov 2004, Andy Bakun wrote:
I suggest you checkout the website to find out exactly how brindead this
thing is. There is a configuration screen that lets you enter in all
the local MTAs so it knows to skip over those Received: lines.
Ok, so if I were a spammer, all I need to do is prepend Received line that
looks like the one added by recepient system and then another one that
looks like the one that came from machine where SPF would pass. A bit
tricky but doable especially since SPF records are all public and
during SMTP session you can find what software mail server runs.
But if it tests 2822-From or PRA nobody will use it for
more than a day.
I seriously hope this will be the case. Unfortunately, questionable
interpretations about SPF that lead to bad implementations amounts to
seriously negative press for SPF.
Unfortunetly Meng has been saying all along that MUAs should do PRA
checking (in addition to general PRA brokeness this adds new level of
forgery by means of herecy from Received lines) and Microsoft appear
to be planning on doing exactly that. When asked about it they refused
to admin its a problem, but prefer to not answer the question in the
first place (took me forever to have MS admit on MARID that they
are in fact working on it).
P.S. In fact the only question I asked on FTC summit was why Micorosoft
and others consider that its ok to do SenderID check from MUA. Instead
of aswering it they said the will add SenderID checks to Hotmail and
Exchange. Meng also said something in support of that but continues in
his whitepaper and in other places say that PRA is for MUA checking and
SPF is for MTA checking....What a stupid position!
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net