Re: SPF (was: Re: Bug#257644: ITP: libspf2 -- Sender Policy Framework library, written in C)
Isaac To <iketo2@netscape.net> wrote in message news:<2lxJ5-8oQ-17@gated-at.bofh.it>...
> >>>>> "Erik" == Erik Aronesty <erik@zoneedit.com> writes:
>
> Erik> I was thinking that a spammer could creates an envelope
> Erik> address with
> Erik> "SRS0+hash=timestamp=aol.com=bob@throwawaydomain.com" and a
> Erik> From: bob@aol.com with valid SPF info in
> Erik> throwawaydomain.com.
>
> Erik> They, obviously, could do this. Someone who sees that spam
> Erik> will, likely, blame aol.com and not "throwawaydomain.com".
> Erik> Just like spammers use throwawar IP's to send mail, they
> Erik> will use throwaway domains to masquerate as forwarding
> Erik> agents - just like they use throwaway IP's now.
>
> BTW, forwarding is normally set up manually, e.g., you might want your
> university to forward all mails to you home ISP account. So you know
> exactly who are your valid forwarders (here, your university only).
> Your case would then be trivially blocked in the client side.
>
> Regards,
> Isaac.
It cannot be stopped by the client.
If someone from AOL sends email to my university account and I forward
that to my roadrunner account without using SRS, Roadrunner could use
the SPF record on the original aol.com envelope header to see that my
university account is not a valid mail agent for AOL.com. and block my
forwarded files.
The only people involved in the blocking of my valid, forwarded mail
here would be AOL and Roadrunner... not me.
Remember, millions of people forward mail like this in many, varied
ways.
Every single one of them will need to modify their .forward scripts
and patch their MTA's, etc. to use SRS.
This solution is an enormous amount of work for everyone on the
Internet.
Reply to: