spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[spf-discuss] Re: Why SRS really sucks

2006-03-27 09:10:19
from [Julian Mehnle] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On srs-discuss, Johann Steigenberger wrote:

[...]
SRS makes a good thing as SPF really useless.

Why?

We at UCEPROTECT-Network noticed an increasing of Spam and 
Phishingmails claiming to be legal forwardet mail (with SRS) within the
last days. Worst on all, these faked Mails were delivered by well known
providers.

Investigating this, we found, that those providers do not even check for
SPF-Records and are accepting such crap, but then they are forwarding it
with SRS !!!

They just do an SRS on all forwardet mail, only to have the mails out of
their queue :-(


- From a receiver's POV there is just no meaningful difference between 
"forwarding" and "originally sending" mail.  Some misguided RFCs and their 
advocates may be telling you otherwise, but it just ain't true.  Nobody 
except the sender can know whether a mail was forwarded or originally sent 
by the sending host.

The difference between forwarders rewriting the sender address (using SRS 
or other schemes) and forwarders not doing it is that the former accept 
responsibility (to their domain) for the mail they send and the latter 
don't (blaming responsibility on the supposed original sender domain).  
SPF prevents forwarders (and other senders) from blaming responsibility on 
others.

Sender rewriting is indeed a good thing for forwarders to do.  It does in 
no way circumvent SPF, which is not meant as an anti-spam solution, just 
as an anti-forgery solution, and SPF-protected domains can't be forged in 
the envelope sender, not even using SRS.

It is true that forwarders should do SPF checking, especially those doing 
sender rewriting.  If they don't, and essentially forward (=send!) any 
crap that someone inputs into their system, then they (i.e. their domains) 
deserve to get a bad reputation!

You speak of "well known providers".  Have you tried contacting them and 
telling them that not checking for SPF, spam, etc. when forwarding is 
going to discredit their domains?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEKA4pwL7PKlBZWjsRAs7ZAKCZWrMif/ThInTOReVxaHs95qLIgACdHhEx
RZ9Ec1j0Cwb56RqN3XzyjyM=
=qObx
-----END PGP SIGNATURE-----

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Re: draft-schlitt-spf-classic AUTH48 review, william(at)elan.net
Next by Date:  [spf-discuss] SRS: is there a stable implementation for postfix yet?, Mark Jeftovic
Previous by Thread:  RE: [spf-discuss] draft-schlitt-spf-classic AUTH48 review, Matthew.van.Eerde
Next by Thread:  [spf-discuss] SRS: is there a stable implementation for postfix yet?, Mark Jeftovic
Indexes:  [Date] [Thread] [Top] [All Lists]