spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Receiver forwarder-problem mitigation

2009-07-08 16:27:10
from [Stuart D. Gathman] [Permanent Link] 
On Wed, 8 Jul 2009, Stuart D. Gathman wrote:


On Wed, 8 Jul 2009, Alessandro Vesely wrote:


_How_ they accept whitelisting would also be a policy. It can go anywhere 
from
whitelisting an IP, to providing a specific userid/password pair for the
forwarder to use SUBMIT. None of those can be easily automated, that's why I
listed them last.


The simplest way to whitelist a forwarder is the way pymilter does it:
provide the domain of the forwarder - what the forwarder would
use if they were enlightened enough to use SRS.  If the mail would have
passed SPF (or a guessed SPF policy such as "v=spf1 a mx ptr") had
the forwarder actually used SRS, then the email is from the whitelisted
forwarder.  

One would hope the forwarder is at least enlighted enough
to publish an SPF record, or use a valid HELO or PTR that ends in their
domain or send from one of their MXes so the SPF-GUESS works.  
If the forwarder is anonymous, maybe everyone is better off if the end user
*doesn't* get any of the forwards ...  ;-)


An example might help:

Suppose Rick has a mailbox, rbrown(_at_)biguni(_dot_)edu, at his Uni.  He 
graduates
and gets a job, and the Uni offers to forward his emails to his
new mailbox of rick_brown(_at_)bigcorp(_dot_)com(_dot_)  The forwarder domain 
is "biguni.edu".
(Hence the joke about an "anonymous forwarder" - which is almost certainly
spam since the domain was chosen arbitrarily by the sender.)  The Uni 
forwards email by replacing the RCPT TO and relaying to an MX for the
new RCPT TO.

The email admin at bigcorp.com adds biguni.edu to the list of forwarders 
trusted by bigcorp.com.  The mail system at bigcorp.com accepts email from IPs
that would get an SPF Pass or best-guess-pass with a mail from of
postmaster(_at_)biguni(_dot_)edu, without bothering to check SPF against the 
real MAIL
FROM (or checks only if real mailfrom fails to get a pass or precompiles
forwarder domain list to an IP set or ...).

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Receiver forwarder-problem mitigation, Stuart D. Gathman
Next by Date:  Re: [spf-discuss] Senderside forwarder-problem mitigation, Ian Eiloart
Previous by Thread:  Re: [spf-discuss] Receiver forwarder-problem mitigation, Stuart D. Gathman
Next by Thread:  Re: [spf-discuss] Receiver forwarder-problem mitigation, Alessandro Vesely
Indexes:  [Date] [Thread] [Top] [All Lists]