On 02/22/2006 18:54, John Kelly wrote:
On Wed, 22 Feb 2006 18:42 -0500, Scott Kitterman
<spf2(_at_)kitterman(_dot_)com>
wrote:
If you can you explain why problem 2 is so bad, in language a dummy
can understand, maybe I will see the light.
Ironically your original post to the list complaining Frank's message
failed SID tests based on unintended use of his SPF record for SID is an
excellent example of why it is bad.
I looked at the message headers, but I don't understand how the
failure abused his SPF record. I wear so many hats, I don't have time
to analyze and understand it in detail, right now.
But if you want to further explain it, you have my attention.
Your initial post in this thread was:
On Tue, 21 Feb 2006 23:22:03 +0100, Frank Ellermann
<nobody[at]xyzzy.claranet.de> wrote:
nobody @ xyzzy ?
Last night I tested sendmail sid-filter and it rejected that mail from
the list as a sender-id failure.
If the SPF mailing list is willing accept to junk like that, I wonder
why they don't add their own headers to provide sender-id compliance.
Funny that.
So, looking for that message, the most likely one I find is actually to the
spf-help list, not this one (if this isn't the exact message, the issues are
the same, but I'm trying to be consistent here):
http://www.gossamer-threads.com/lists/spf/help/26149#26149
The relevant bits (and more) from my copy of that message header...
Return-Path:
<listbox+trampoline+1020+1109811+0b184236(_at_)v2(_dot_)listbox(_dot_)com>
Received: from apex.listbox.com (apex.listbox.com [207.8.214.5])
by mailwash7.pair.com (Postfix) with ESMTP id 767F9FA50B
for <spf2(_at_)kitterman(_dot_)com>; Tue, 21 Feb 2006 17:25:46 -0500 (EST)
X-Injected-Via-Gmane: http://gmane.org/
To: spf-help(_at_)v2(_dot_)listbox(_dot_)com
From: Frank Ellermann <nobody(_at_)xyzzy(_dot_)claranet(_dot_)de>
Subject: [spf-help] Re: Please explain
Date: Tue, 21 Feb 2006 23:22:03 +0100
Message-ID: <43FB928B(_dot_)22F9(_at_)xyzzy(_dot_)claranet(_dot_)de>
References:
<20060219011832(_dot_)66907(_dot_)qmail(_at_)web51408(_dot_)mail(_dot_)yahoo(_dot_)com>
<200602201231(_dot_)41073(_dot_)scott(_at_)kitterman(_dot_)com>
<b87f8380e018a9c767d2955a17263461(_at_)mac(_dot_)com>
<1470586b02e2aa5d5808917f0de42594(_at_)mac(_dot_)com>
X-Listbox-UUID: 077E5AD6-A329-11DA-B9E2-A3C6D1A4D48D
Precedence: list
Reply-To: spf-help(_at_)v2(_dot_)listbox(_dot_)com
List-ID: <spf-help(_at_)v2(_dot_)listbox(_dot_)com>
List-Software: listbox.com v2.0
List-Help:
<http://v2.listbox.com/doc/help_sub?list_name=spf-help(_at_)v2(_dot_)listbox(_dot_)com>
List-Subscribe: <mailto:subscribe-spf-help(_at_)v2(_dot_)listbox(_dot_)com>,
<http://v2.listbox.com/subscribe/?listname=spf-help(_at_)v2(_dot_)listbox(_dot_)com>
List-Unsubscribe:
<mailto:unsubscribe-spf-help(_at_)v2(_dot_)listbox(_dot_)com>,
<http://v2.listbox.com/member/unsubscribe/?listname=spf-help(_at_)v2(_dot_)listbox(_dot_)com>
Errors-To:
listbox+trampoline+1020+1109811+0b184236(_at_)v2(_dot_)listbox(_dot_)com
Now, if I take Return Path as an analog for Mail From and test
listbox+trampoline+1020+1109811+0b184236(_at_)v2(_dot_)listbox(_dot_)com
against IP address
207.8.214.5 using SPF, using your favorite SPF validation tool. My favorite
web based one (since I did it...) is at:
http://www.kitterman.com/spf/validate.html
you will find that yields an SPF PASS. So, from an SPF perspective, Frank's
record never should enter into the picture.
Now what you did was take Frank's message and apply SID to it. Instead of
getting a correct answer (this is an authorized message from Listbox) you got
an indication that this message was some how bad based on a technology that
Frank has never done anything to try and support or be involved in.
What you did NOT find in that message was a Sender header field. If it had
had something like Sender: spf-help(_at_)v2(_dot_)listbox(_dot_)com, then SID
would have used
that instead of Frank's From: and all would be well. The problem with this
approach is that there is no RFC that mandates the Sender be there in this
instance (there is a MAY, but no MUST), so at this point, Listbox has done
nothing wrong. Frank has done nothing wrong.
Where things go wrong is that you used the record he published to apply to
messages with a Mail From: his domain and applied that information to the
body of the message. Thus you end up believing that the message is somehow
forged or bad when in fact nothing could be further from the truth.
Now people will argue over this. Some see this as legitimate reuse, some see
it as abuse. That's why I said reuse/abuse in my message. To my point of
view, any scheme like this which is opt-out is an abusive situation.
Additionally, it's poor design (layer violation), but that's another issue.
If SID worked in a way that it would reliably work out for mail that was RFC
compliant (as I've shown, it doesn't), then I could probably accept that
reuse was an acceptable real-world compromise that should be lived with.
Hope that helps,
Scott K
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com