On Thu, 22 Sep 2005, Jeremy Doupe wrote:
johnp wrote:
So - if you have an account with this ISP it would appear that you can
happily spoof any domain you like, and you don't need a username or
password - just pop before smtp (presumably). I suppose the next
thing will be complaints from the customer when his mails are rejected
by SPF because his ISP is not included in the spf record?
Can anyone see anything right about this arrangement - or am I
blinkered/stupid?
While not right, I can easily believe it. I recently worked for a CLEC
that did the same thing - in 32 continental US cities. No pop before
smtp either. Quite commonplace apparently. As long as you're on that
company's network, you've got a nice open-relay.
Even more pathetic, the ISP one of my customer just selected had
a big problem with abuse of their open relay as you describe. Did
they install SMTP AUTH? No sir. They turned off their relay entirely,
*and* block outgoing 25. Their install instructions say that if you want to
send email from your own domain, you have to use a 3rd party relay.
(They provide a mail hosting service on their own domain with pop/imap.)
And this is supposed to be a business account.
Arrgh. I'll argue with them and see if I can get them to allow
outgoing 25 from my customers mail server. Commercial SMTP relays that
prevent cross customer forgery are non-existant, or very hard to find.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com