There is an interesting discussion going on at the SpamCop forum
http://forum.spamcop.net/forums/index.php?showtopic=3675&st=0
I tried to make the point that it is impossible to forge a domain name when
sender and receiver both use SPF, and I challenged anyone to send me an
email at pobox.com with a forged name 'forged at amazon.com'. The email
came through!! At the top was the following header:
Return-Path:
<SRS0=ekIn=RC=amazon(_dot_)com=forged(_at_)bounce2(_dot_)pobox(_dot_)com>
This is very disturbing. I thought pobox.com would be a fine example of
how to set up a forwarder. If a forwarder doesn't actually do the
authentication, it shouldn't add this header, and most certainly not with a
forged domain name!!
Can anyone suggest a better way to do this demo?
-- Dave
P.S. I checked the SPF records for amazon.com, and they do have a '-all' at
the end.
Here is the telnet session that sent the email:
C:\>telnet mx-pa-1.pobox.com 25
220 gold.pobox.com ESMTP Postfix
ehlo underwood.amazon.com
250-gold.pobox.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250 8BITMIME
mail from: forged<at>amazon.com
250 Ok
rcpt to: dmq<at>pobox.com
250 Ok
data
354 End data with <CR><LF>.<CR><LF>
sent directly by telnetting into pobox.com smtp server using
underwood.amazon.co
m for ehlo and forged<at>amazon.com for mail from: field, same as example I
posted.
.
250 Ok: queued as 741BA5DFD4
quit
221 Bye
*************************************************************
* David MacQuigg, PhD * email: dmq at gain.com
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com