On Tue, 16 Aug 2005, Dennis Willson wrote:
Well I must say that if all someone has to do is make the <return-path> and
the From addresses different to spoof my (or an incoming) domain, then I
don't see any usefulness in SPF. What's the point if it's that easy to get
around? I get a lot of email where the <return-path> and the from addresses
SPF authenticates MAIL FROM and HELO. If you don't care about MAIL FROM or
HELO, then indeed, SPF is useless to you.
Here are some reasons why you perhaps should be more interested in MAIL FROM:
o You are probably not interested in MAIL FROM because your Mail User Agent
doesn't see fit to display it for you. My MUA (Pine) *does* show me
Return-Path, and so I find SPF very useful when judging an email. Note
that PRA is not displayed in any current mail clients either. New SES
and DKIM do what you want, but are not widely deployed.
o SPF and MAIL FROM (and HELO) are very useful for whitelisting and
blacklisting senders. When you whitelist a sender, you don't want to whitelist
forgeries. When you blacklist a sender, you want to make sure it wasn't forged
first.
Can someone explain why this isn't a big hole? Why I shouldn't just stop
Because SPF is not supposed to validate rfc2822 headers. There are
other protocols in the works for that.
using SPF because it obviously (to me) does not have the ability to do as
advertised (stop domain spoofing)?
It stops MAIL FROM and HELO domain spoofing as advertised. It never
claimed to stop 2822 header spoofing. Perhaps you have SPF
confused with Sender-ID? (NOTE: Sender-ID claims to stop
2822 domain spoofing, but fails miserably. Look at DKIM
or new SES for 2822 protection.)
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.