From: wayne
Sent: Monday, November 29, 2004 2:47 PM
<...>
I must be missing something. Why can't you detect a forged forward
with an SRS return-path? The forwarder can publish SPF records, just
like everyone else. Also, a forwarder's SPF record can contain an
exists: mechanism similar to the one in the SES draft in case there
are more forwarders that don't do SRS.
I wasn't specific enough. The forwarder's SPF record is what is checked by
the recipient, not the originator's. A spammer can take out a throw-away
domain, publish an SPF record and pretend to be forwarding a message from
anyone they want. That message will always pass SPF, despite the forgery.
This is inherent in the hop-by-hop authentication of SPF.
If you want to only accept SRS-rewritten forwards from whitelisted
forwarders, you can do that but that is more practical for small sites than
large ones. This approach is even harder to implement at a large site if
there are forwarders that individual customers want to use that are not
acceptable to the service as a whole.
--
Seth Goodman