On Mon, 24 Jul 2006 19:52:22 +0000 Julian Mehnle <julian(_at_)mehnle(_dot_)net>
wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Robin Rowe wrote:
Hi. Question from new spf user. The email header below has a return-path
to a spammer but a forged From of ebay.com. Why wasn't it REJECTED?
Because smtp03.ebay.com (the "From:" domain) has neither an SPFv1
("v=spf1") nor a Sender ID ("spf2.0") record, so that domain is NOT
protected, as opposed to the domain ebay.com, for example. However,
smtp03.ebay.com is not an existing domain, so the forgery should be
trivially detectable by any spam filter that isn't completely brain-dead.
Also, be aware that SPFv1 does not protect the "From:" domain. (Sender ID
and DKIM do.)
Sender ID only protects from on messages that do not have sender,
resent-from, or resent-sender in the body header, i.e. if the phisher
doesn't bother to take the most elementary steps to bypass it. What
SenderID does do is give you a purportedly responsible party to blame.
The DKIM base specification will be similar. They give you a signing
domain to blame. There was even a recent suggestion on the DKIM list to
remove the requirement that From be signed (fortunately not accepted).
DKIM will also have a policy protocol (currently called Sender Signing
Policy) that may actually protect From.
Scott K
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com