spf-discuss
[Top] [All Lists]

Re: [spf-discuss] SPF blocking e-mails coming from an E-card service server

2007-04-06 13:33:22

The ecard services need to start using their own email address in MAIL FROM. If that is not done they are indistiguishable from forgery (in fact that is exactly what they do basically) and it is not just SPF but eveyr other email authentication proposal has problems with that.

To deal with bounces, e-card service should have bounce handler that based on some id of original email can verify that its for one of their
customers and forward it to further as appropriate. My recommendation
for developers of such service is to have a database with ids for all users of their service and put hash (unique id + timestamp) as part of MAIL FROM address (this is SRS/SES-like service basically), i.e. here is an example:

FROM:<eba=69e9db9ba8fab99552c25fcea6fcaf69=0406071307=1225(_at_)ecard(_dot_)example>

Above 1225 is database id that you can correspond to william(_at_)elan(_dot_)net, 0406071307 is a timestamp and the rest is md5(email timestamp). Your
system can then verify that received bounce is not too long ago and
if so process this bounce (remeber to check SPF on where bounce came
from and have SPF record for ecard.example as well). Note that if
you implimnent it, I'd suggest that instead of using BASE16 it be done
as BASE32 (but not BASE64 since email address is not case-sensetive)
and timestamp id could be smaller in BASE32 as well.

Even simpler if you have database for each and every email sent through
ecard service, then you just do FROM:<123353422(_at_)ecard(_dot_)example> where
'123343422' is the the id you lookup in your database to find where
to forward email to and when the email was originally sent.

On Fri, 6 Apr 2007, dan1 wrote:

Hello.

I have an E-card customer of our site who has sent an e-mail to someone who's 
e-mail server is using SPF.
They detected that the sender of the e-mail was not allowed to send an e-mail 
from another server (like ours). They request this user to send e-mails only 
from one of its allowed servers.

This is problematic for our E-card service, as we force the sender's e-mail 
address to be coming from the one the user is typing. We need to do this, as it 
allows the recipient to directly answer to the sender, and also because if 
there is any e-mail problem, the problem will directly be sent to the sender 
and not our server, else the customer would never know of the problem and 
wrongly think that the e-mail was sent properly.

Can some one tell me how E-cards developpers should act regarding that matter?
We currently never had any forgery of a spammer who would use our server, and 
they are limited to only 10 E-cards per day and per IP address, so it is quite 
clean and already very restrictive, and we also check first the sender's IP for 
spamlists before accepting the e-mail, this is probably why we didn't have any 
problem at all with hackers willing to use our service.

Thanks in advance for any advice.
Daniel - Edenpics.com

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription,
please go to http://v2.listbox.com/member/?list_id=735

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?list_id=735