Re: SPF

To: Erik Aronesty <erik@zoneedit.com>
Cc: debian-devel@lists.debian.org
Subject: Re: SPF
From: Adam Majer <adamm@galacticasoftware.com>
Date: Fri, 23 Jul 2004 23:26:56 -0500
Message-id: <[🔎] 4101E510.1090408@galacticasoftware.com>
In-reply-to: <[🔎] 3939595a.0407231033.3063ce14@posting.google.com>
References: <[🔎] 20040704214611.39525198CD6@nightcrawler> <[🔎] 1089024707.20634.5.camel@leom181.leom.ec-lyon.fr> <[🔎] 200407051315.55946@fortytwo.ch> <[🔎] 87llhymqid.fsf@sinken.local.csis.hku.hk> <[🔎] 3939595a.0407220943.6dc21107@posting.google.com> <[🔎] 87vfgfa5p0.fsf@sinken.local.csis.hku.hk> <[🔎] 3939595a.0407231033.3063ce14@posting.google.com>

Erik Aronesty wrote:

>Isaac To <iketo2@netscape.net> wrote in message news:<2kYrZ-u1-3@gated-at.bofh.it>...
>  
>
>>>>>>>"Erik" == Erik Aronesty <erik@zoneedit.com> writes:
>>>>>>>              
>>>>>>>
>>    Erik> Spammers can use this loophole to get around SPF.  Thus SPF
>>    Erik> is ...  well ... broken.
>>
>>This complain to SRS is something new to me, and such knowledge will
>>enhance our understanding on naysayers of SPF.  Care to take a look at
>>
>>http://www.libsrs2.org/srs/srs.pdf
>>    
>>
>
>That pdf didn't work for me.  I read this instead. 
>http://spf.pobox.com/srspng.html
>
>I was thinking that a spammer could creates an envelope address with
>"SRS0+hash=timestamp=aol.com=bob@throwawaydomain.com" and a From:
>bob@aol.com with valid SPF info in throwawaydomain.com.
>
>  
>

Indeed. SRS breaks SPF. SPF seems to be good only for direct mailing
domains. It essentially breaks all lists.

I guess the only way to allow forwarding is for the MTA to sign each
outgoing message and then to publish the public key in the DNS. I don't
see another way around it.

- Adam

-- 
Building your applications one byte at a time
http://www.galacticasoftware.com

Reply to:

Follow-Ups:
- Re: SPF
  - From: Andreas Barth <aba@not.so.argh.org>
- Re: SPF
  - From: Russell Coker <russell@coker.com.au>

References:
- Bug#257644: ITP: libspf2 -- Sender Policy Framework library, written in C
  - From: Eric Dorland <eric@debian.org>
- Re: Bug#257644: ITP: libspf2 -- Sender Policy Framework library, written in C
  - From: Josselin Mouette <joss@debian.org>
- SPF (was: Re: Bug#257644: ITP: libspf2 -- Sender Policy Framework library, written in C)
  - From: Adrian 'Dagurashibanipal' von Bidder <avbidder@fortytwo.ch>
- Re: SPF (was: Re: Bug#257644: ITP: libspf2 -- Sender Policy Framework library, written in C)
  - From: Isaac To <iketo2@netscape.net>
- Re: SPF (was: Re: Bug#257644: ITP: libspf2 -- Sender Policy Framework library, written in C)
  - From: erik@zoneedit.com (Erik Aronesty)
- Re: SPF (was: Re: Bug#257644: ITP: libspf2 -- Sender Policy Framework library, written in C)
  - From: Isaac To <iketo2@netscape.net>
- Re: SPF (was: Re: Bug#257644: ITP: libspf2 -- Sender Policy Framework library, written in C)
  - From: erik@zoneedit.com (Erik Aronesty)

Prev by Date: Re: Free non-software stuff and what does it mean. [was Re: General Resolution: Force AMD64 into Sarge]
Next by Date: Re: Free non-software stuff and what does it mean. [was Re: General Resolution: Force AMD64 into Sarge]
Previous by thread: Re: SPF (was: Re: Bug#257644: ITP: libspf2 -- Sender Policy Framework library, written in C)
Next by thread: Re: SPF
Index(es):
- Date
- Thread