On Thu, 18 Aug 2005, Alex van den Bogaerdt wrote:
On Wed, Aug 17, 2005 at 04:20:34PM -0400, Stuart D. Gathman wrote:
RRS=IHBf67rW=blockbuster(_dot_)com=user(_at_)example(_dot_)com
The hash signature prevents a spammer from sending mail with
arbitrary MAIL FROM to
RRS=????????=spammer(_dot_)com=user(_at_)example(_dot_)com(_dot_) They
have to
know the secret to generate a valid RRS alias.
Now, when email arrives to that address, the SPF check is done against
blockbuster.com - even though the MAIL FROM says custhelp.com - and
the mail is delivered to user(_at_)example(_dot_)com(_dot_) This is a much
more controlled
workaround than accepting SPF FAIL for custhelp.com - which has a perfectly
good SPF record.
Just to make sure: you do not reject on SPF error, right ?
Yes I do reject on SPF FAIL. Otherwise, I needn't bother identifying
forwarders.
For the archives: the reason I ask is that you do NOT want your
forwarder have the mail bounce to the "sender" (thus: the victim).
If it fails SPF, it aint my forwarder. That is kind of the whole
point of SPF. Remember, I am checking the forwarder domain against
SPF - *** NOT the MAIL FROM ***. That is the whole purpose of RRS:
to extract what the MAIL FROM should have been if the forwarder
were using SRS or the equivalent.
Should the mail be rejected, the forwarding party cannot deliver
this message to example.com and if the forwarder didn't check SPF
itself (most still don't) it will bounce to what the spammer
used as sender address.
If the connect IP fails SPF against the forwarder domain, then it
isn't the forwarder - it is a spammer.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.