spf-discuss
[Top] [All Lists]

[spf-discuss] Re: SPF queries by a newbie

2006-11-12 19:28:17
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jon Grant wrote:
Could you tell me if SPF is widely adopted now?

That depends on your definition of "widely adopted".  Current statistics 
indicate that about 5 million domains have published SPF records, and that 
about 20% of all Internet e-mail traffic is covered by SPF records.  
Adoption has been steadily increasing over the past years.

Is my understanding correct, in that if all domains had SPF records set
in the DNS fields this would prevent fraudulent spam.

Not entirely.  See the green boxes on 
http://new.openspf.org/SPF_vs_Sender_ID

SPF (v1) protects only the envelope sender address, not the "From" or
"Sender" headers.  The envelope sender address is not usually displayed by 
mail clients, only the "From" and "Sender" headers are.  So SPFv1 cannot 
protect against forged sender addresses in the message header.

The envelope sender address is not used for informing the end user but only 
for the purpose of transporting the message on the internet and sending 
delivery error messages.  Thus SPFv1 really only protects you against 
wrongly addressed delivery error messages.

Microsoft's Sender ID aims to protect the sender address in the message 
header, but fails to actually do so for somewhat complicated reasons.  The 
SPF project is planning on working on another revision of SPF, SPFv3, 
starting some time next year, which will hopefully be a more intelligent 
successor to SPFv1 than Sender ID is.

But it would still mean that spammers could have accurate SPF records for
their domains and then send spam from those domains?

Yes, by definition.  This applies to _any_ domain-based sender policy 
scheme, including any potential SPF successors.

I could also see a potential problem where a spammer has a compromised
machine on a Tiscali ADSL connection, he looks up from his list email
domains which can send email from smtp.tiscali.co.uk and inserts
user(_at_)tiscali(_dot_)co(_dot_)uk in the MAIL FROM field. Would that defeat 
the
protection SPF provides?

No.  If the domain "tiscali.co.uk" authorizes the compromised system's IP 
address to send mail using that domain, then SPF works as advertised.  SPF 
is not a virus scanner.

The only solution to prevent one Tiscali connected machine sending spam
as any Tiscali customer would be their own email server as far as I can
see.. [...]

No domain should ever authorize an ISP's entire IP address range (dial-up 
or otherwise).  End-user machines are not supposed to send mail to 
recipient MTAs directly.  Such mail should always be channeled through an 
ISP/ESP's or user's dedicated smarthost mail servers, and only those mail 
servers should be listed in any domain's SPF record.

I bet Spammers will also start signing their spams now, so they get
though any key checking as well. :(

This is totally besides the point.  Signing mail with _any_ key is trivial, 
and signing mail just for the sake of it is pointless.

The point is signing mail with a key that is specifically and explicitly 
trusted by the receiver.  If a mail arriving in my inbox hasn't been 
signed by any of the keys _I_know_and_trust_, the signature is meaningless 
to me.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFV9fmwL7PKlBZWjsRAuOrAKDa6FP99q55NS2RwGuNkSte3yOGdgCeLjql
eeba9LK3abusw92eSJHJM6U=
=q663
-----END PGP SIGNATURE-----

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735