"Hector Santos" <spf-discuss(_at_)winserver(_dot_)com> writes:
No, during the single and same CBV session to validate the return path, if
this passes, then another RCPT-TO: is issued.
Okay, maybe this is the confusion... Does this describe what's
happening?
- Machine A is sending mail "from" address user(_at_)example(_dot_)com to
machine B.
- You check whether example.com is running an open relay.
- You *don't* explicitly check whether machine A is an open relay.
If that's the case, the check would seem to be of limited utility
unless A also happens also to be the mail exchanger for example.com.
But at least the scheme, as I now understand it, doesn't risk loops.
I think you should include the IP address of the client that caused
the probe, and the possibly forged Mail-From address. Otherwise, you
may know that people are forging mail from you, but have no way of
identifying who is doing it.
Hasn't been an issue David. But I will take it in for future consideration
:-)
Well, it's not an issue now because CBV hasn't been that widely
deployed. If everyone did CBV, it would allow a new kind of
"reflector" attack. As a precaution it's better not to hide the
identity of the sender from the forgery victim. Also, of course, you
should never perform CBV when the SPF disposition is Fail.
(Having been the victim of joe-job attacks, this is something I don't
want to make worse than it already is.)
David
--
This message was sent from a non-repliable address for a closed mailing list.
If you wish to reply directly to me, you can use the following address, which
expires on 03 Mar 2006:
<mazieres-ekf2bakibvjp6hns55b3f4v9hi(_at_)temporary-address(_dot_)scs(_dot_)stanford(_dot_)edu>
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com