From: Scott Kitterman [mailto:spf2(_at_)kitterman(_dot_)com]
Sent: Wednesday, August 17, 2005 2:47 PM
<...>
I had been thinking along these lines too. The problem is that any
proper mailing list will fail this test.
I don't agree on this point. The normal behavior for a mailing list is to
keep the From: address intact as received, add the "list owner" address as
Sender: and use a VERP address from the same domain as return-path. They
don't all do it, but most do and they all should. I'm not aware of any
major packages that are incapable of this behavior. That doesn't mean they
don't exist, just that I'm unaware of them.
While Mail From: checking and how it works is pretty well a done deal,
we still have the potential to add new modifiers to SPF records in order
to deal with new situations.
IIRC, Mail From == From ~ 80% of the time and so if you've checked one,
you've checked the other.
That's right.
Most of the legit messages out of the remaining 20% are from mailing
lists. I'm interested in input on other legit sources. The question is
how to deal with this 20%.
One chunk of illegit messages in the 20% are phishers who use one Mail
From to get past SPF and another From: to pretend to be somebody.
That's the limitation of checking only MAIL FROM, which most MUA's don't
display.
Now it seems to me that the exact domains the are primary phishing
targets (e.g. ebay, paypal, banks) are exactly the ones the don't really
care if their messages survive mailing lists.
So my thought is that if we have a message that has survived our SPF
checking and we go to data, we check to see if From: == Mail From:. If
it does, cool. If not, we have to decided what to do....
So far, so good. But it's not just phishing, there are also joe-jobs.
So I'm thinking that we invent a new modifier called 'from='. BTW, I
think someone else has suggested this before, so I make no claim of
originality here. The idea is that you look for an SPF record in the
domain of the From:. If there is no record or if it's a regular SPF
record, then you move on. If the record has a 'From=' modifier in it,
then we know that the domain owner has made a statement that only
messages that have a Mail From: == From: are legit. I would limit this
to the domain part since that's what SPF is designed to do.
That's an interesting idea. I think it has the same weakness with mailing
lists that you were concerned with above. If you post to any mailing lists,
there will be messages going out to all list recipients that have your
domain in the From: and the list domain in MAIL FROM. This means that if
you post to any mailing lists, you _cannot_ use the 'from=' modifier, or any
list recipients that check SPF will fail your posts. For people that own
domains that are not valuable for phishing, but still want protection
against forgery, this is a problem. It forces you to choose between
joe-jobs with your domain name that pass SPF or the ability to post to
mailing lists.
That is the exact purpose of the Sender: header. It is when someone else
sends a message that they did not author, but they want to show the author
in From:.
--
Seth Goodman