| Walt Mankowski on 22 Mar 2004 00:18:02 -0000 |
|
On Sun, Mar 21, 2004 at 02:29:36PM -0500, Jeff McAdams wrote: > The problem with SPF is that it claims to prevent header "forging", but > that's not really what its doing. It does prevent header forging, but > it does considerably more than that as well, and the "considerably more" > is where the problems show up. > > Part of the problem is defining "header forging". Clearly spam messages > sent with a From: address of something at yahoo.com would be considered > forged...but what about this email? The From: address on it is jeffm at > iglou.com. But I'm currently using my laptop at my parents' house, > through their cable modem connection. I'm sending this with my jeffm at > iglou.com From: address because *I* am jeffm at iglou.com. But my > laptop isn't on an iglou.com Internet connection at the moment. Now, in > this case, its not all that big of a deal because IgLou has considerable > clue and provides SMTP AUTH based relaying, so this email will bounce > off of IgLou's servers. > > If IgLou didn't provide SMTP AUTH based mail relaying, however, and > implemented strict SPF, then I would be unable to send email (assuming > SPF were widely checked) with my jeffm at iglou.com address, even though > it would be perfectly valid for me to do so. Given that I have recently > had an exchange with someone who claims that SMTP AUTH based relaying > capability is virtually unheard of for ISPs, and that IgLou is in the > drastic minority because they do provide this (I don't know...it seems > to me that not offering SMTP AUTH is rare, but I could certainly be > wrong), it seems that strict SPF checking would then be quite > problematic as I would have to use the SMTP server of my parents cable > modem connection, and then the email would be rejected because its not > coming from an SMTP server that's not in IgLou's SPF list. > > The idea of SPF is that using a From: address of a domain when the email > isn't coming from a mail server that that domain administrator defines > as valid, is "forgery." But, for ISPs, they will either have to offer > SMTP AUTH relaying, not implement strict SPF, or make the decision that > their customers will only be able to send email when they are connected > to that ISPs connectivity (that's a slight oversimplification, but not > much), that last will not be a commercially pleasant alternative for > ISPs to swallow. You're confusing the envelope sender with the From: address. SPF only protects the *envelope*. In fact, it doesn't even look at the message itself, only the envelope. You can set your From: address to anything you want, so long as an authorized host is given as the "Mail From:" domain in the SMTP envelope. If you're on a Comcast cable modem, for instance, it's perfectly legal to relay through their SMTP server but with a From: address of iglou.com. The recipient's SMTP server will see the mail as coming from "jeffm@comcast.net", but that'll be ok because it will be coming from a Comcast SMTP server which they'll have authorized as being allowed to send Comcast mail. But that's all just protocol. When the recipient gets the mail, they'll just see "From: jeffm@iglou.com". This is all explained quite clearly in the Linux Journal article. Walt Attachment:
signature.asc
|
|