spf-discuss
[Top] [All Lists]

Re: Conflict with challenge/response filters

2005-07-05 15:36:35
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gunnar Hjalmarsson wrote:
To make my mail server SPF compliant, I have it do SRS-rewriting of all
outgoing envelope-from addresses, using the method described at
http://srs-socketmap.info/sendmailsrs.htm . In my capacity as server
admin, possible messages to the domain used for SRS go to me.

Yesterday I received a "spam challenge" message from one of those
challenge/response filter services, which let me know that the
[SRS-signed address] address was not whitelisted. The "spam challenge"
message was sent to the rewritten envelope-from address, not to the
"From:" address.

C/R systems definitely should not send their challenges to the "From:" 
address.  The use of the envelope sender is as appropriate as it gets (if 
C/R systems can be considered appropriate in the first place).

The incident made me realize that having all outgoing envelope-from
addresses rewritten clashes with the challenge/response approach. Not
that I personally care much about the latter, but some users may
consider it a problem.

Anybody who knows of a simple solution to this problem?

Stuart suggested one.  I don't know any other simple solution.  The C/R 
system could hold on to the original address embedded in the SRS-encoded 
address instead of treating the SRS address as opaque, but that would 
require the C/R system to support SRS, and also this would open the system 
up to abuse.

C/R systems are bad, period.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCywt0wL7PKlBZWjsRAj4pAKDal3SvU7ewbRagpumwp6Kfi3ma9gCePTs6
cSkvCZyPJatpfdbWRCIcwJc=
=InbC
-----END PGP SIGNATURE-----