Re: Handling of -all

----- Original Message -----From: "Alex van den Bogaerdt" <alex(_at_)ergens(_dot_)op(_dot_)het(_dot_)net>

To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Friday, February 11, 2005 1:19 PM
Subject: Re: [spf-discuss] Handling of -all

The problem of the early adopters is that your sender policy
combined with me blocking "your" message, will actually send
the message to the faked sender, not the real originator, when
a message is being relayed by
- a forwarder
- an ISPs outgoing mail relay

and maybe more.

Example:

-1- bad(_at_)badguy(_dot_)example(_dot_)com pretends to be 
good(_at_)goodguy(_dot_)example(_dot_)org
  message is sent to someone(_at_)forwarder(_dot_)example(_dot_)net and no SPF 
is
  checked.

-2- forwarder.example.net sends the message to 
someone(_at_)other(_dot_)example(_dot_)net
  and pretends to be good(_at_)goodguy(_dot_)example(_dot_)org

-3- other.example.net does check SPF, finds a -all and rejects.
  forwarder.example.net bounces the message to ....

OK, we're right back to the uselessness of forwarding. Forwarding is*broken*. If you allow standard forwarding, sometimes called "mailreflection", then there is no way to tell your system from a forger becauseyou are, in fact, forging the email. This has been broadly allowed up to nowso that the bounces go where they're supposed to, but it means that theforwarder has to learn how to do SES/SRS and themselves put in significantspam blocking to get forwarding done safely.

Example 2:

-1- bad(_at_)badguy(_dot_)example(_dot_)com pretends to be 
good(_at_)goodguy(_dot_)example(_dot_)org
  and connects its machine to some dial-this-expensive-number-and-
  get-ip-connectivity provider.  It sends its spam to the SMTP
  gateway of this provider.  No spf checking is done.

-2- This provider tries sending the message, using
  good(_at_)goodguy(_dot_)example(_dot_)org as sender address.
  Reject, bounce, see -3-

That sender address is irrelevant to SPF. Don't confuse SPF with analyzingthe "From:" line. MAIL FROM is what is relevant, and the SMTP gateway of theprovider normally sets that to spammer-login-name(_at_)ISP-SMTP-server(_dot_)com(_dot_) Ifthey're not using something like that, then they're probably an open relayand should already be in the blacklists.

Now, in many instances, "MAIL FROM" is going to match the outgoing "From:"line. But it certainly need not, and that's entirely under the control ofthe ISP's outgoing SMTP server.

<Prev in Thread]	Current Thread	[Next in Thread>
RE: Handling of -all, (continued) RE: Handling of -all, Scott Kitterman Re: Handling of -all, Alex van den Bogaerdt RE: Handling of -all, Scott Kitterman Re: Handling of -all, Alex van den Bogaerdt RE: Handling of -all, Scott Kitterman Re: Handling of -all, Radu Hociung Re: Handling of -all, Nico Kadel-Garcia Re: Handling of -all, David Woodhouse Re: Handling of -all, Nico Kadel-Garcia RE: Handling of -all, Scott Kitterman Re: Handling of -all, Nico Kadel-Garcia <= Re: Handling of -all, Alex van den Bogaerdt Re: Handling of -all, Stuart D. Gathman Re: Handling of -all, Alex van den Bogaerdt RE: Handling of -all, Julian Mehnle RE: Handling of -all, Stuart D. Gathman Re: Handling of -all, Alex van den Bogaerdt RE: Handling of -all, Julian Mehnle RE: Handling of -all, Stuart D. Gathman Re: Handling of -all, Alex van den Bogaerdt Re: Handling of -all, David MacQuigg