spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SPF implementations

2005-08-14 10:05:25
from [Daniel Taylor] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dennis Willson wrote:


I have been using an application called XWall. It's a Spam filter and
smart host for use with Microsoft Exchange. Overall it's a very
impressive and useful program. I recently upgraded to their newer
version that has SPF support. After using it for awhile I discovered I
would like to be able to configure a couple of things and I was
surprised at their response.

1. They only look at the HELO/EHLO when the "Mail From:" is <>.
Shouldn't it always look at HELO/EHLO? Or at least be a selectable
parameter?


The switch to HELO checking when Mail From: is not <> is fairly
recent. Not all vendors have caught up with it yet. Mail From: has
always been the primary target anyway.


2. I asked for a configuration option to look at the "From" address and
not just the <return-path>. They said they couldn't because looking at
the "From" address requires a license from Microsoft. I couldn't find
anything that would indicate that to be true. I know that SenderID in
whole may... but just looking at the "From" address???? Does anyone know
the answer to this?


The answer to this is to flag messages when MAIL From: and From: do not
match. Simply put, checking From: within the context of SPF _is_ error
prone and potentially covered by MicroSoft's PRA patent.


The reason I would like to use the "From" address is that I and a number
of my users have received email with the <return-path> set to a domain
that has a valid SPF record, but the "From" address was PayPal.com and
so it went right on through. When it reached the end user it clearly
said it was from PayPal.com in the email client (Outlook) but it
actually was not but you had to view the headers to tell (my end users
are NOT going to do that). SPF loses a LOT of its usefulness if it can't
be used to detect spoofed addresses. I have another system for my home
email server that uses SPF and it looks at both the <return-path> AND
the "From" address and it works really well at keeping spoofed addresses
that have SPF records away from the users. Isn't using SPF on the "From"
address an acceptable use of SPF?


Not really. It is error prone to a point that makes it nearly unusable
for rejects. The main thing to do is to flag mismatches (I believe
Outlook supports a number of X-Headers that can be used for such?)
to let your users know that something may be wrong.

If you are in doubt as to the reliability of From: checking, check the
From: and IP source of your own message to the list against your SPF
record.

- --
Daniel Taylor          VP Operations            Vocal Laboratories, Inc.
dtaylor(_at_)vocalabs(_dot_)com   http://www.vocalabs.com/        
(952)941-6580x203
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC/3nV8/QSptFdBtURAiLnAJ4tcS7Uv7rZy2QbmKkC3Z18ImO/nQCeLpBs
z8glBK8i0EMbdY/zLm2wgVQ=
=t3MN
-----END PGP SIGNATURE-----
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Update on Broken SPF Records, Herb Martin
Next by Date:  RE: Update on Broken SPF Records, Scott Kitterman
Previous by Thread:  Re: SPF implementations, Frank Ellermann
Next by Thread:  RE: SPF implementations, Seth Goodman
Indexes:  [Date] [Thread] [Top] [All Lists]