On Sun, 13 Mar 2005, David MacQuigg wrote:
I guess we shamed them into fixing it :-)
We still can't use them as our shining example, however. I just sent an
email from forged'at'pobox.com to dmq'at'bmsi.com and it sailed right
through. Checking pobox's SPF I see:
No valid SPF version 1 records found for pobox.com
I also noticed that amazon.com changed their SPF record from -all to
~all. Looks like bmsi is the only domain we can count on to demonstrate SPF.
They have an SPF record, it just defaults to ?all:
2005Mar14 00:04:59 [36716] connect from ip194.subnet71.gci-net.com at
('216.183.71.194', 4190) EXTERNAL
2005Mar14 00:05:20 [36716] hello from mail.pobox.com
2005Mar14 00:05:54 [36716] mail from forged(_at_)pobox(_dot_)com ()
2005Mar14 00:05:55 [36716] Received-SPF: neutral (mail.bmsi.com: 216.183.71.194
is neither permitted nor denied by domain of pobox.com)
2005Mar14 00:07:24 [36716] rcpt to dmq(_at_)bmsi(_dot_)com ()
$ python spf.py pobox.com
v=spf1 mx mx:fallback-relay.%{d} a:webmail.%{d} a:smtp.%{d}
a:outgoing.smtp.%{d} a:discard-reports.%{d} a:discards.%{d}
mx:store.discard.%{d} a:emerald.%{d} redirect=%{l1r+}._at_.%{o}._spf.%{d}
I suspect the reason they default to neutral is so that customers can
put their pobox.com alias as MAIL FROM whereever they send from. However,
this makes it trivial to send forged(_at_)pobox(_dot_)com email to any pobox
customer.
Despite that, at least the SPF part works. You get NEUTRAL for
forged(_at_)pobox(_dot_)com, and FAIL for forgeries of domains with the guts
to publish -all.
If you had been on spf-discuss earlier, you could have witnessed epic arguments
between the "publish -all or SPF is pointless" camp and the "we can't publish
?all or all our customers will leave us because they can't forge mail anymore"
camp - complete with competing definitions of forgery as "moral forgery"
(intent to deceive) or "technical forgery" (the MAIL FROM is not in fact the
actual sending domain). You might want to catch some of it in the archives.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.