Re: Re: SPF implementations

Well I must say that if all someone has to do is make the <return-path> and the From addresses different to spoof my (or anincoming) domain, then I don't see any usefulness in SPF. What's the point if it's that easy to get around? I get a lot of emailwhere the <return-path> and the from addresses are different, not Spam, real email my users and I want. If I flagged when the<return-path> and from addresses are different a good percentage would be marked and users quickly ignore (and complain about) thatflag (I tried it already).


While I can justify and live with the forwarding issue everyone is always 
arguing about, this issue looks like a show stopper to me.

Can someone explain why this isn't a big hole? Why I shouldn't just stop using SPF because it obviously (to me) does not have theability to do as advertised (stop domain spoofing)?



Frank Ellermann wrote:

Dennis Willson wrote:

Isn't using SPF on the "From" address an acceptable use of
SPF?



It's NOT RECOMMENDED in the spec., because it won't work in
many cases.  E.g. this reply should have From: nobody(_at_)xyzzy,
and you'd get a FAIL if you test it, because my sender policy
doesn't cover the IPs of this mailing list.

If you take the Return-Path (v2.listbox) you'd get a PASS.

Sender-ID would pick the Sender instead of the From, that
happens to be the same as the Return-Path for this mailing
list, and therefore it should also work.

The serious trouble starts if From, Sender, and Return-Path
are all different.  Or if From and Return-Path are different,
and there is no Sender.  If you then pick whatever you like
and test it against v=spf1 you'd get wrong results.  Often
it will _apparently_ work - you'd catch that PayPal phish -
but not generally, you'd delete legit mails together with
the phishing crap => NOT RECOMMENDED.

                         Bye, Frank


-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/

To unsubscribe, change your address, or temporarily deactivate your subscription,please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

<Prev in Thread]	Current Thread	[Next in Thread>
Re: ESMTPA vs. ESMTPS, (continued) Re: ESMTPA vs. ESMTPS, Frank Ellermann Re: Re: ESMTPA vs. ESMTPS, william(at)elan.net Re: ESMTPA vs. ESMTPS, Frank Ellermann Re: Re: ESMTPA vs. ESMTPS, Chris Haynes Re: ESMTPA vs. ESMTPS, Frank Ellermann Re: Re: ESMTPA vs. ESMTPS, Dick St.Peters Re: Re: ESMTPA vs. ESMTPS, Scott Kitterman RE: Re: ESMTPA vs. ESMTPS, Seth Goodman Re: ESMTPA vs. ESMTPS, Frank Ellermann Re: Re: SPF implementations, Håkon Alstadheim Re: Re: SPF implementations, Dennis Willson <= Re: Re: SPF implementations, Scott Kitterman Re: Re: SPF implementations, Stuart D. Gathman RE: Re: SPF implementations, Herb Martin Re: SPF implementations, Frank Ellermann Re: Re: SPF implementations, Dennis Willson Re: Re: SPF implementations, Stuart D. Gathman Re: SPF implementations, Frank Ellermann Re: SPF implementations, Daniel Taylor RE: SPF implementations, Seth Goodman *We are not* required to migrate to type99 SPF DNS RRs*, wayne*