On Wed, 12 Jan 2005, Dan Field wrote:
If we are using the latest received header (The last MTA to handle the
message), then trust should be ok shouldn't it?
No, it shouldn't :)
Consider the following:
1. MTA that adds the Received header may not be the MTA that received the
mail message from outside network.
a. Related subscase - secondary MX MTA that then forward to primary one
b. Note that going down the chaine of Received headers as somebody would
be quick to suggest to resolve above will inevitable result in that
you may end up looking at received header possibly added by spammer
or somebody else you can not trust and you may never know that
2. MTA that adds the most recent Received header may have modified the
header when sending it further (i.e. MAIL-FROM and other data may
not be the same any more) and you typically would not know it
3. The are some MTAs that add more then one received header line at
the same time splitting data among them - qmail is one example of that.
4. The SPF Record may have changed from the time info on MTA client
was entered in Received header.
a. Note also tha the "timestamp" entered at Received header can not
be trusted because there are cases when MTAs have local time not
properly syntronized (and yes, I'm guilty of this problem since RTC
on sokol is not functioning properly).
5. And most important is of course is that "Received" headers are TRACE
data - their use is limited to debugging of email routing problems
but THEY ARE NOT FOR USE directly for operations like deciding if
email is to be accepted or not.
P.S. Did you know that the following received header line fron your email
is not valid according to RFC2821 syntax and the "properly designed"
parser should reject it? As an exercise for you please find 2 places where
it violetes syntax and as additional exercise please find 2 items where it
is against "SHOULD":
Received: from apex.listbox.com ([207.8.214.5]) by
gateway.netserver.accessemedia.com with Microsoft SMTPSVC(6.0.3790.211);
Wed, 12 Jan 2005 16:45:12 +0000
PPS. At some point several months ago I started doing statistics on the
mail I received to find how much of it has incorrect Received syntax
and classify it based on sofware that adds it. I got grim statistics with
about 75% of the received lines data having at least one error. This is
still on my (very long) TODO list to do finish this up at least as
evaluation of current situation (but I considered that situation is so
bad that I have better/brighter things to work on at the moment).
This message has:
Received: from apex.listbox.com ([207.8.214.5]) by
gateway.netserver.accessemedia.com with Microsoft SMTPSVC(6.0.3790.211);
Wed, 12 Jan 2005 16:45:12 +0000
Received: from localhost.localdomain (localhost [127.0.0.1])
by apex.listbox.com (Postfix) with ESMTP id 729CB4D9F4
for <dan(_dot_)field(_at_)accessemedia(_dot_)com>; Wed, 12 Jan 2005
11:45:10 -0500 (EST)
Received: from smarthost4.mail.uk.easynet.net (smarthost4.mail.uk.easynet.net
[212.135.6.14])
by portent.listbox.com (Postfix) with ESMTP id 2FDB697EE5
for <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>; Wed, 12 Jan 2005
11:44:30 -0500 (EST)
Received: from [62.53.0.15] (helo=ringo)
by smarthost4.mail.uk.easynet.net with smtp (Exim 4.10)
id 1Colbb-0003tW-00
for spf-discuss(_at_)v2(_dot_)listbox(_dot_)com; Wed, 12 Jan 2005
16:44:23 +0000
Message-ID: <0eb901c4f8c5$f16d89b0$0200000a(_at_)ringo>
So, the last step was the first line above:
Received by gateway.netserver.accessemedia.com (My exchange server here) from
207.8.214.5... so if i were to SPF check 207.8.214.5 to see if it is
permitted to send as
owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com(_dot_)(_dot_)(_dot_) isn't
this ok?
Dan
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Chris
Haynes
Sent: 12 January 2005 16:44
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] using received headers to determine sending
mta
"Dan Field" asked:
What are the problems with using a message headers "Received" lines to
determine the sending MTA and then perform a SPF lookup on that?
Thanks,
Dan
I can think of three reasons:
1) There is no standard format for Received,
2) Can you trust whoever purported to add that header to the message?
3) If inspected long after reception, there can be problems with lack of
knowledge of subsequent changes in the SPF record in the DNS
Doubtless others will think of further reasons.
Chris Haynes
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net