-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daryl C. W. O'Shea wrote on spf-council:
Stuart D. Gathman wrote on spf-council:
Spamassasin needs to use Received-SPF, not do their SPF check. Has
anyone spoken to them about this? In addition to the inaccuracy of
doing it after the fact, it *does* amplify any DDos (by some factor
reduced by ISP caching) as DougO points out.
I looked at this briefly long ago. In short, I'd sooner have us abandon
SPF support than use existing Received-SPF headers *by default* (I have
considered making it an option, but haven't had the tuits to do it yet).
Why?
- the vast majority of mail processed by SA worldwide (not necessarily
# of installations, but actual mail volume) scans the mail during or
immediately following SMTP time... the number of cached lookups
expiring within seconds is normally exceedingly low
- in a very large number of cases we can't trust the Received-SPF
header since the Received-SPF header (like DK/DKIM headers and most
other stuff's headers) are usually placed before (in time, ie below)
the trusted MX's Received header
According to RFC 4408, section 7, the "Received-SPF" header "SHOULD be
prepended to the existing header, above the Received: field that is
generated by the SMTP receiver."
I think it would be acceptable (and I would actually recommend) to ignore
any "Received-SPF" headers that are below the trusted MX's "Received"
header.
- I've always thought this (having all headers added by a single
relay being placed under that same relay's Received header) to be
a really bad idea, I really should be more vocal about it
I agree with that. The "Received" header really is the anchor, and all
secondary trace headers should be placed _above_ it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFVJU3wL7PKlBZWjsRAlJcAJ4j/CxetGmKWel/IevtwxYAyUVHQQCgyouV
Gazk8ViQVhUXMI9/xRPVSmA=
=KJUr
-----END PGP SIGNATURE-----
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735