spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SPF implementations

2005-08-12 17:17:00
from [Scott Kitterman] [Permanent Link] 
...... Original Message .......
On Fri, 12 Aug 2005 14:56:05 -0700 Dennis Willson 
<taz(_at_)taz-mania(_dot_)com> wrote:


I have been using an application called XWall. It's a Spam filter and 

smart host for use with Microsoft Exchange. Overall it's a 

very impressive and useful program. I recently upgraded to their newer 

version that has SPF support. After using it for awhile I 

discovered I would like to be able to configure a couple of things and I was 
surprised at 

their response.


1. They only look at the HELO/EHLO when the "Mail From:" is <>. Shouldn't it 
always look at 

HELO/EHLO? Or at least be a selectable 

parameter?


For a long time this is what the specs suggested.  Currently doing it all the 
time is optional. 
 Either approach is compliant.


2. I asked for a configuration option to look at the "From" address and not 
just the 

<return-path>. They said they couldn't because 

looking at the "From" address requires a license from Microsoft. I couldn't 
find anything that 

would indicate that to be true. I 

know that SenderID in whole may... but just looking at the "From" address???? 
Does anyone know 

the answer to this?



SPF is designed to look at Mail From.  Not the From in the body.  Sender ID 
attempts to deal with the body, including From.  Whether or not a license 
would be required or not is a question for lawyers.  IANAL.


The reason I would like to use the "From" address is that I and a number 

of my users have received email with the <return-path> set 

to a domain that has a valid SPF record, but the "From" address was 

PayPal.com and so it went right on through. When it reached the 

end user it clearly said it was from PayPal.com in the email client 

(Outlook) but it actually was not but you had to view the 

headers to tell (my end users are NOT going to do that). SPF loses a LOT 

of its usefulness if it can't be used to detect spoofed 

addresses. I have another system for my home email server that uses SPF 

and it looks at both the <return-path> AND the "From" 

address and it works really well at keeping spoofed addresses that have 

SPF records away from the users. Isn't using SPF on the 

"From" address an acceptable use of SPF?


I see these too.  I've been thinking about how to deal with this, but 
simply applying an SPF record to From is fraught with difficulty and 
outside the scope of the design.  Expect roughly a 20% false positive rate.

What implementation are you using at home?

SPF is actually working here.  It used to be that the Mail From would have 
been forged too.

Scott K
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: SPF implementations, Scott Kitterman <=
Previous by Date:  Re: SPF implementations, Mike
Next by Date:  RE: Re: possible changes to the SPF I-D during AUTH48, Ralf Doeblitz
Previous by Thread:  Interpreting Results From Multiple "Identical" RR Sets (Was several threads on type 99), Scott Kitterman
Next by Thread:  RE: Re: possible changes to the SPF I-D during AUTH48, Scott Kitterman
Indexes:  [Date] [Thread] [Top] [All Lists]