spf-discuss
[Top] [All Lists]

[spf-discuss] Re: SPF and gateways

2005-09-23 04:21:10
Simon Tyler wrote:

The only one I have thought of so far is to check the 
Received headers in the message when teh message
arrives at the first SPF aware server and use the IP address
in the Received header. This would work as long as you trust
the Received headers and they are well formed. It is not
nice though.

Yes, not nice, because at this point (behind the AV) you can't
reject FAIL anymore, you can only score (= the polite form of
DROP, not nice for false positives) or bounce... <shudder />

But that's no special SPF-problem, it's the same situation if
you want to use some DNSBLs (and WLs) behind the AV-server:
not nice, as you said.

Actually the AV-server should offer all defenses working only
at the border-MX, not limited to SPF.

A second (non-technical) solution would be to adjust MX
records. Most outsourced AV is done by MX records being
changed to point to the AV gateway which then forwards to
the real mail server. You could introduce an additional
SPF gateway before the AV gateway

Yes, but then you have the opposite problem:  Your MXs do
what you want, reject SPF FAIL, reject based on DNSBLs, etc.
(add CSV and MTAMARK here), then it relays the remaining 
crap^Wmails to the AV-server.  What happens if the AV-server
says "bad" ?  How does it do that, do you see a "reject", or
does it silently DROP all identified mail worms (+ phishes),
or does it only tag this crap ?

IMHO this is a technical solution, but don't start to send
bounce messages for AV-identified crap on your side later.

this is not really a good solution.

You must put your defenses at the border, so either get the
AV-server to do what you want, or do it yourself before the
AV-server.  The latter might be more flexible.  Bye, Frank


-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com