spf-discuss
[Top] [All Lists]

unauthorized forwarders and dual DSNs

2005-08-15 17:35:35
I have encountered a forwarding problem that is *not* the receivers fault.
CompanyA (my client) has a customer: CompanyB.  CompanyB uses efax.com
to receive faxes instead of having their own fax line.  So far, so good.
CompanyB finds that CompanyA, as their exclusive import agent, needs a copy 
of every fax they receive.  So, they make their efax.com mailbox destination
into an alias that relays all faxes (and the marketing spam that pays
for the free efax.com account) to CompanyA.  Clearly, CompanyB is
out of line.  but CompanyA wants to remain their exclusive import
agent - so we have to live with their behaviour.

It so happens that efax.com does not have an SPF record, so I can include
CompanyB in the proxy SPF record we supply for efax.com.  However, should
efax.com ever decide to publish an SPF record with -all, then the faxes
will no longer be delivered to CompanyA.  CompanyB will still have a
copy - but they will never see the rejections, unless they see it in their
email logs.  Unlikely, given their unfriendly email behaviour.

I will be able to solve this by adding efax.com to my list of
domains to "treat fail like softfail".  However, the DSN complaining
about the error (before accepting the fax emails) will be sent to the alleged
sender.  In this case, however, it ought to go to 
postmaster(_at_)HELO(_dot_)domain(_dot_)

But perhaps I should always send a copy of such DSNs to the HELO domain.
If they are a spammer, I don't mind annoying them.  If they are a
legit sender trying to use another domain in MAIL FROM, they need to
know that they need to contact the domain owner to have their use
of the domain authorized.  So the new algorithm for softfail
(and fail treated as softfail) would be:

  1. check if HELO is authorized or blocked by SPF
  2. if not, check if HELO is authorized or blocked by CSA
  3. check if HELO is at least RFC compliant 
  4. if not, REJECT
  5. if HELO is authorized or RFC compliant, send DSN to
     postmaster(_at_)HELO(_dot_)domain(_dot_)  If DSN is rejected, REJECT
  6. then send DSN to MAIL FROM.  If DSN is rejected, REJECT.
  7. if both HELO and MAIL FROM accept DSN complaining about
     SPF fail/softfail, accept message.
     (DSN success is cached to rate limit sending of DSNs)

What do you all think?

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.




<Prev in Thread] Current Thread [Next in Thread>