spf-discuss
[Top] [All Lists]

Re: Border Appliances

2005-06-30 15:47:41
On Thu, 30 Jun 2005, Hector Santos wrote:

With your method, while excellent, you still able to pass undetected spam to
users.  Right?

Correct.  With a relaxed SPF result, and not one of the domains
already required to be strict.  You see, there are still users 
on small domains that send mail from laptops at hotels without
SMTP AUTH.  

But here is the next thing I do.  When accepting 
a relaxed result, I send a dsn.  If the DSN is not accepted,
I reject the mail.  This weeds out obvious forgeries where the sender
email doesn't even exist.  If the DSN is accepted, I log who I have sent DSNs
to, and send them another one every month to nag them a bit to secure their
system.  Here is the template for the softfail DSN:

Subject: SPF softfail (POSSIBLE FORGERY)

This is an automatically generated Delivery Status Notification.

THIS IS A WARNING MESSAGE ONLY.

YOU DO *NOT* NEED TO RESEND YOUR MESSAGE.

Delivery to the following recipients has been delayed.

       %(rcpt)s

Subject: %(subject)s
Received-SPF: %(spf_result)s

Your sender policy indicated that the above email was likely forged and that
feedback was desired.

If you need further assistance, please do not hesitate to contact me.

Kind regards,

postmaster(_at_)%(receiver)s

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


<Prev in Thread] Current Thread [Next in Thread>