----- Original Message -----
From: "David Woodhouse" <dwmw2(_at_)infradead(_dot_)org>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Wednesday, January 12, 2005 6:44 PM
Subject: Re: [spf-discuss] using received headers to determine sending mta
On Wed, 2005-01-12 at 18:16 +0100, jpinkerton wrote:
http://www.spf.idimo.com/fix-1.php
I don't think it needs to be that complex -- you can just use the record
for the reverse-path and compare with the sending host and the Received:
headers.
Your solution is good, but has a problem -- it's trivial to fake a
Received: header claiming that the mail did originate from an authorised
IP address. You need the original sending MTA to include a signature
which really can be trusted, and then it'll work.
Sure - this method is only used after normal SPF checks don't produce a
Pass. Recipients can choose how deeply they want to go through the
headers - bearing in mind that they can all be forged. As is stated
"This is not a long-term solution, the intention here is to create an
immediate fix for
SPF's known problem areas, so that SPF can continue to promote the
publication of records
and the use of milters, while a more permanent solution to mail-lists and
forwarding is found. "
The reasoning is that the forwarders, etc. don't have to do anything like
implementing other protocols, this works "out of the box".
Slainte,
JohnP(_dot_)johnp(_at_)idimo(_dot_)comICQ 313355492