spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[spf-discuss] Re: Apache SpamAssassin SPF checks

2006-11-10 08:06:53
from [Julian Mehnle] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daryl C. W. O'Shea wrote on spf-council:

Stuart D. Gathman wrote on spf-council:

Spamassasin needs to use Received-SPF, not do their SPF check.  Has
anyone spoken to them about this?   In addition to the inaccuracy of
doing it after the fact, it *does* amplify any DDos (by some factor
reduced by ISP caching) as DougO points out.


I looked at this briefly long ago.  In short, I'd sooner have us abandon
SPF support than use existing Received-SPF headers *by default* (I have
considered making it an option, but haven't had the tuits to do it yet).

Why?

  - the vast majority of mail processed by SA worldwide (not necessarily
    # of installations, but actual mail volume) scans the mail during or
    immediately following SMTP time... the number of cached lookups
    expiring within seconds is normally exceedingly low

  - in a very large number of cases we can't trust the Received-SPF
    header since the Received-SPF header (like DK/DKIM headers and most
    other stuff's headers) are usually placed before (in time, ie below)
    the trusted MX's Received header


According to RFC 4408, section 7, the "Received-SPF" header "SHOULD be 
prepended to the existing header, above the Received: field that is 
generated by the SMTP receiver."

I think it would be acceptable (and I would actually recommend) to ignore 
any "Received-SPF" headers that are below the trusted MX's "Received" 
header.


     - I've always thought this (having all headers added by a single
       relay being placed under that same relay's Received header) to be
       a really bad idea, I really should be more vocal about it


I agree with that.  The "Received" header really is the anchor, and all 
secondary trace headers should be placed _above_ it.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFVJU3wL7PKlBZWjsRAlJcAJ4j/CxetGmKWel/IevtwxYAyUVHQQCgyouV
Gazk8ViQVhUXMI9/xRPVSmA=
=KJUr
-----END PGP SIGNATURE-----

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [spf-discuss] Re: [spf-council] SPF-council IRC logs for 2006-11-09, Scott Kitterman
Next by Date:  [spf-discuss] An attorney's view of the Microsoft Open Specification Promise (OSP), Julian Mehnle
Previous by Thread:  [spf-discuss] Re: [spf-council] SPF-council IRC logs for 2006-11-09, Scott Kitterman
Next by Thread:  Re: [spf-discuss] Re: Apache SpamAssassin SPF checks, Daryl C. W. O'Shea
Indexes:  [Date] [Thread] [Top] [All Lists]