spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[spf-discuss] Re: Top problems with SPF acceptance

2008-03-03 23:19:11
from [Don Lee] [Permanent Link] 
At 11:35 AM +0100 3/3/08, Frank Ellermann wrote:

Don Lee wrote:


The basic idea is straightforward and has advantages in both
implementation and deployment.


Apparently straightforward, but actually it's a SenderID hack.

For SPF FAIL and RFC 821 compatibility forwarders need to do
"something" with the MAIL FROM.  By definition redistributors
work "as is".

For PRA FAIL forwarders *and* mailing lists have to update the
PRA, e.g., add Resent-* header fields as specified in RFC 4406.

After they have done that they can try to use the "Submitter"
in RFC 4405 with servers supporting it.  But this is only a
shortcut allowing to reject an obviously FAILing PRA before
the server sees the message DATA with the "real" PRA.  

If "Submitter" doesn't trigger a PRA FAIL - the bad guys could
make sure that "Submitter" won't fail - the server still has
to check that the "real" PRA matches the alleged "Submitter".

And for that more important check forwarders and mailing lists
have to modify the message header, see above.  Modifying the
message header above what is permitted in 2821bis and 2822upd
is a legal rathole.

In practice I don't see why enough SMTP servers would wish to
support the "Submitter" shortcut when they have to check the
DATA with the PRA anyway (if the "Submitter" doesn't fail).

It is actually *THE* problem with PRA (SenderID), unlike SPF
PRA only works after worldwide deployment, it is a "FUSSP".

Frank



Potentially, though, SUBMITTER could be checked instead of Mail from:. 
This presumes that each server in the chain is willing to take responsibility 
for the message, and does not handle end-to-end checking, but would at
least provide a reliable one-hop solution for SPF checking that does not
have "forwarding problems".

It's dead.  I'll file it appropritately.

Thanks all for the enlightenment.

-dgl-

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://www.listbox.com/member/archive/735/=now
RSS Feed: http://www.listbox.com/member/archive/rss/735/
Modify Your Subscription: 
http://www.listbox.com/member/?member_id=2183229&id_secret=95887956-51703a
Powered by Listbox: http://www.listbox.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [spf-discuss] Re: Top problems with SPF acceptance, Frank Ellermann
Next by Date:  [spf-discuss] Re: Top problems with SPF acceptance, Frank Ellermann
Previous by Thread:  [spf-discuss] Re: Top problems with SPF acceptance, Frank Ellermann
Next by Thread:  [spf-discuss] Re: Top problems with SPF acceptance, Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]