-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jon Grant wrote:
I had hoped for a way to stop me getting spam, but it sounds like a
spammer just needs to setup their SPF record for their envelope sender
address, and then put the fake From address in place to still be able to
spam.
If you want to stop spam, go and kill a spammer every day.
Seriously, use SpamAssassin or, better, reputation systems. And do report
spam to SpamCop or similar spam reporting services.
SPF is not, and never will be, designed to stop spam directly. SPF is
about forgery only.
And then what happens if their envelope-sender address is just going to
/dev/null? Have they really lost anything?
Domain owners who use SPF typically don't care about whether spammers lose
anything. They primarily care about their own domais not getting abused
by spammers, and SPF helps them achieving that.
And what if the evelope address isnt even a valid email address...?
Mail from invalid addresses (or at least, from invalid domains) should be
rejected outright. Most MTAs support that nowadays.
Could mail servers also check the From: address using the SPF record?
No, not against v=spf1 records. v=spf1 is not meant for that.
Is my understanding correct, in that all mail servers which are relaying
the email to the final POP account etc have to read all the Received:
lines in the header, pick out the last line and check that that machine
is authorised on the SPF record of the envelope sender (MAIL FROM) ?
No. Mail servers don't have to parse any "Received:" headers. They just
check the MAIL FROM that is communicated to them when they receive mail.
[...] my ISP, easily.co.uk had indicated SPF would solve the problem of
me receiving spam.
They are mistaken.
No. If the domain "tiscali.co.uk" authorizes the compromised system's
IP address to send mail using that domain, then SPF works as
advertised. SPF is not a virus scanner.
I wonder if there is complete solution to spam, which checks upon
connection to the MX and does Reject 554 at the SMTP level if certain
checks fail before the email ever really enters the MX propper?
I'll leave it for others to explain how that can be easily accomplished
with modern MTAs using various tools such as SpamAssassin, DNS reputation
black-lists, etc.
If a zombie PC can send email via the tiscali.co.uk single authorised
server: smtp.tiscali.co.uk, without that ISP checking which users are
authorised from which of their customer IP addresses then I could still
suffer bounces from zombie PC which also had an ADSL connection with
Tiscali.
That spam sent by the zombie will be received by some spam victim's mail
server. If that mail server does an SPF check and your domain (!=
tiscali.co.uk) has an SPF record that does NOT authorize the Tiscali mail
server to send mail using your domain, then you will NOT get a bounce for
that spam and SPF has done its job.
My understanding is the Envelope sender address is stored in the
Return-Path: field when it is finally delivered?
Usually, yes. Some MTAs do not generate the "Return-Path:" header or name
it differently, though.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFWIvTwL7PKlBZWjsRAtanAJ9uT0e0xO5ywQ3rKZLKCEJBNQgg7ACguSLj
p8lVJkrS8v3TsMxl+wdPZiQ=
=ulR0
-----END PGP SIGNATURE-----
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735