Scott Kitterman wrote on Sunday, April 15, 2007 7:24 PM -0500:
On Sat, 14 Apr 2007 17:58:20 -0400 (EDT) "Stuart D. Gathman"
<stuart(_at_)bmsi(_dot_)com> wrote:
On Sat, 14 Apr 2007, Adrian de los Santos wrote:
There is any implementation of spf that checks the from of the
data transaction ?
No. Sender-ID could have been, but it checks some random header
chosen by the spammer. (Well not random, but using a patented
algorithm.)
How can i prevent forged froms on the data transaction ?
Use DKIM. This requires the sender to sign their headers, and
publish a public key in DNS.
Yes, except currently it lacks any way to describe in the protocol any
requirement for a relationship between the signing domain and thr From
domain. Without a reputation system behind it (Stuart this is a
hint) it is even less useful to the receiver than SPF. The DKIM
working group is chartered to deal with this, but not making a lot of
progress.
DKIM does validate the From: address independently, though it is
heavyweight and does not offer any information during the SMTP envelope
phase. SPF is lightweight and facilitates rejection before the SMTP
data phase, but SPF only validates MAIL FROM, not the addresses visible
to the end user. However, for the majority of ordinary email, MAIL FROM
== From:, so validating MAIL FROM with SPF also validates From:, telling
you the message is definitely not a phish with no additional overhead.
This would be noted by the MTA in some kind of trace header and the MUA
could display the fact that the message is not a phish. At such
recipients, domains that publish SPF are protected against both MAIL
FROM forgery and From: phishing.
A recipient can only conclude that MAIL FROM != From: is a phish if the
From: domain publishes the fact that they sign all mail with DKIM. If
the From: domain does not publish a DKIM policy, the recipient MTA can
only note that fact and the MUA could display the possible phish status.
In the case that the From: domain does sign all outgoing mail with DKIM
and the present message is not DKIM signed, the MTA can conclude this is
a phish and reject at the end of SMTP data. Even in this case, it is
still to a recipient's advantage to run SPF during the envelope to
reject as much junk as possible at the lowest cost, so running DKIM does
not remove the benefit of SPF.
In other words, DKIM pass/fail only buys you additional information over
SPF pass in the case where MAIL FROM != From:. If SPF would adopt a
scoping parameter (I recall Frank had op=something that said the From:
(or Sender: ?) domain must match MAIL FROM), then most domains could
protect the use of their domain name in displayed addresses without the
additional overhead of DKIM.
--
Seth Goodman
-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com