On Wed, 23 Feb 2005, David MacQuigg wrote:
OK, I'm motivated. :>) The problem is the bounces coming from folks who
are not participating in SPF. My SPF record doesn't stop them from sending
me a bounce. A universally-understood authentication system would end most
of that "backscatter".
You might be interested in SES as a complement to publishing SPF.
SES signs the return path, allowing you to reject bounces (DSNs) from
a forged return immediately after MAIL FROM at SMTP time.
SES also provides an alternate system for MAIL FROM validation.
It works very synergistically with SPF to get your email to recipients
that have not correctly configured SPF for their forwarders.
This works by publishing an SPF record that lists authorized IPs first,
followed by exists:%l._ses.example.org. A stunt DNS server for the sender
returns a record when the local part validates, and NXDOMAIN otherwise.
When a non-SRS forwarder delivers the email, and the recipient has neglected to
whitelist said forwarder, then they hit the exists clause and the MAIL FROM
still gets validated. This makes the combination of SPF + SES very tolerant
of configuration errors.
If you are only interested in rejecting bounces of forged MAIL FROM, then
installing SRS for all outgoing mail accomplishes the same thing and
is much simpler. SRS is not suitable for validation because there is no
protection for replay attacks. Replay protection is the primary complication
for SES.
Caveat: SES/SRS can reject actual bounces/DSNs of forged MAIL FROM.
Unfortunately, way too many $^%&$* stupid dumb(_at_)$$ Windows spam/virus filter
writers send a reply instead of a DSN (and without checking SPF). Arrrrgggh.
So you'll still get emails saying, "Our Super WhoopDeDoo Virus filter
for ignorant Windows lusers has detected a virus in your email. And
even though the email almost certainly didn't come from you, since
viruses/virii never tell the truth in email headers, we'll annoy you
anyway by sending a reply instead of a DSN in the hopes that this display
of our ignorance and incompetence will motivate you to buy our product."
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.