spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Abusing SPF record for PRA testing

2004-12-12 09:37:44
from [terry] [Permanent Link] 
Perhaps a representative from the SPF council should contact 
postmaster(_at_)algoritmnt(_dot_)ru indicating
that PRA interpreting SPF records is unacceptable, with the illustration of 
this particular failure
as being why.

A proposed response that the SPF council rep could use follows:

To Whom It May Concern

We have been made aware that you are using PRA to reject email.  This in itself 
is reasonable if the
PRA technology is suitable for you, however, PRA should only use PRA records.  
PRA should *not* be
set to read SPF records and apply the PRA algorithm, as the method of PRA and 
SPF are different and
require different sender records in many cases.

For example, an email was sent to your domain and your server responded by 
saying "550 5.7.0
Caller-ID for the message does not match" because the "From:" domain was not 
the senders domain and
the domain owner publishes ~all
This was a false positive as the email was not forged <<<perhaps more details 
on what it was could
be put here>>>

The domain owners published SPF policy is applicable to and should only be used 
against RFC 2821
Mail-From header (which is what SPF does).  The domain owners published SPF 
policy is NOT applicable
to nor should be used against RFC 2822 from headers (which is what PRA does).

Please set your PRA implementation to interpret PRA against PRA records only in 
order to prevent
future false positives and incorrect email rejection.

You may also be well advised to implement SPF checks to maximize protection, 
since SPF has a much
larger deployment/published base then PRA and will offer better protection from 
forgery in the
foreseeable future.


Terry Fielder
Manager Software Development and Deployment
Great Gulf Homes / Ashton Woods Homes
terry(_at_)greatgulfhomes(_dot_)com
Fax: (416) 441-9085



-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Roger 
Moser
Sent: Sunday, December 12, 2004 7:13 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: [spf-discuss] Abusing SPF record for PRA testing


Just for your information:

mail.algoritmnt.ru abuses the SPF record to test the PRA and
rejected a mail
from my server by saying "550 5.7.0 Caller-ID for the message does not
match" because the "From:" domain was not my domain and the
domain owner
publishes "~all". Only after I added a Sender header with my
domain, it has
been accepted.

Roger

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper!  http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily
deactivate your subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re: spf-statement-on-SenderID, Greg Connor
Next by Date:  [OT] IIM implementations, Michael Weiner
Previous by Thread:  Abusing SPF record for PRA testing, Roger Moser
Next by Thread:  Re: Abusing SPF record for PRA testing, Theo Schlossnagle
Indexes:  [Date] [Thread] [Top] [All Lists]