spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: The problems with SPF

2005-08-26 02:34:28
from [Dan Field] [Permanent Link] 
-----Original Message-----
From: Alex van den Bogaerdt


- Doesn't always guarantee the address is correct... Can 

Phising attacks can gain a pass by publishing SPF for their 
domain, but use different headers which will then be displayed in 
a standard e-mail client such as outlook.

That is correct.  First things first; SPF works on the envelope.

If a mail client is foolish enough to verify the envelope and then present
the result as if the body was checked, that is a problem in that 
client, not
in SPF.


But would the majority of e-mail clients in operation today show the incorrect 
from address in a case of a forged address (Where the spammer/pshiser has SPF 
for his envelope address but then alters the headers)?




- Only useful for FALSE results - i.e.: the sender is forged? 

So if a pshiser publishes valid SPF for his domains he can gain a 
pass... I suppose this is a benefit in that it is easier to 
blacklist said spammer.

A PASS result from a spammer domain is very useful.  Indeed, blacklisting
comes to mind.  PASS does not mean you want to receive an email, it just
means the domain is not forged.

One example of being useful: When a PASS is received, it is OK to send
stuff like out-of-office replies, non-delivery receipts and such. When
a FAIL is received, it is not.


Ok, good point... I can see a good benefit here.





- Forwarding caused problems unless SRS or some other 

re-writing is employed?

Not really.
Forwarding is only a problem when the forwarder forges the "mail from"
domain.  This is under debate very often.  A message _is_ received by
the intended recipient.  If that recipient decides a message should be
routed, it is internal routing (as far as the sender is concerned).
Internal routing should not be subject to SPF checking.  Forwarders
are under control of the recipient, not the sender.  It is the recipient
that should handle this case.


I know there are alot of arguments around this area, and I must say I do think 
it is a problem for the adoption of SPF



Dan

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: The problems with SPF, Alex van den Bogaerdt
Next by Date:  Re: The problems with SPF, Alex van den Bogaerdt
Previous by Thread:  Re: The problems with SPF, Alex van den Bogaerdt
Next by Thread:  Re: The problems with SPF, Alex van den Bogaerdt
Indexes:  [Date] [Thread] [Top] [All Lists]