----- Original Message -----
From: "Alex van den Bogaerdt" <alex(_at_)ergens(_dot_)op(_dot_)het(_dot_)net>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Friday, February 11, 2005 1:19 PM
Subject: Re: [spf-discuss] Handling of -all
The problem of the early adopters is that your sender policy
combined with me blocking "your" message, will actually send
the message to the faked sender, not the real originator, when
a message is being relayed by
- a forwarder
- an ISPs outgoing mail relay
and maybe more.
Example:
-1- bad(_at_)badguy(_dot_)example(_dot_)com pretends to be
good(_at_)goodguy(_dot_)example(_dot_)org
message is sent to someone(_at_)forwarder(_dot_)example(_dot_)net and no SPF
is
checked.
-2- forwarder.example.net sends the message to
someone(_at_)other(_dot_)example(_dot_)net
and pretends to be good(_at_)goodguy(_dot_)example(_dot_)org
-3- other.example.net does check SPF, finds a -all and rejects.
forwarder.example.net bounces the message to ....
OK, we're right back to the uselessness of forwarding. Forwarding is
*broken*. If you allow standard forwarding, sometimes called "mail
reflection", then there is no way to tell your system from a forger because
you are, in fact, forging the email. This has been broadly allowed up to now
so that the bounces go where they're supposed to, but it means that the
forwarder has to learn how to do SES/SRS and themselves put in significant
spam blocking to get forwarding done safely.
Example 2:
-1- bad(_at_)badguy(_dot_)example(_dot_)com pretends to be
good(_at_)goodguy(_dot_)example(_dot_)org
and connects its machine to some dial-this-expensive-number-and-
get-ip-connectivity provider. It sends its spam to the SMTP
gateway of this provider. No spf checking is done.
-2- This provider tries sending the message, using
good(_at_)goodguy(_dot_)example(_dot_)org as sender address.
Reject, bounce, see -3-
That sender address is irrelevant to SPF. Don't confuse SPF with analyzing
the "From:" line. MAIL FROM is what is relevant, and the SMTP gateway of the
provider normally sets that to spammer-login-name(_at_)ISP-SMTP-server(_dot_)com(_dot_) If
they're not using something like that, then they're probably an open relay
and should already be in the blacklists.
Now, in many instances, "MAIL FROM" is going to match the outgoing "From:"
line. But it certainly need not, and that's entirely under the control of
the ISP's outgoing SMTP server.