| Stephen Gran on 23 Mar 2004 04:35:03 -0000 |
|
On Mon, Mar 22, 2004 at 11:04:46PM -0500, Walt Mankowski said: > Have you read > > http://spf.pobox.com/faq.html#forwarding Yes. To quote: You can't make an omelet without breaking eggs, and unfortunately forwarding is the egg that breaks. We're doing our best to patch it back together with SRS. > http://spf.pobox.com/srs.html ? Although the perl module looks good, I suspect it would only be a matter of time before we are faced with the decision to either just dump large amounts of email, or be an open-proxy with this system. To be reasonably secure on a high volume server, you'd have to rotate the tokens fairly rapidly. Then you get an email back that has been having routing problems - it sat for four days on your box (where it got it's token originally), then it went to the next host, and sat there for a couple of more days. Finally it arrived at the destination, which is a stupidly setup MTA, and just accepts all mails for @domain, instead of checking that the recipient is valid. After a day or so on the queue, it bounces it back to the intermediate host. The intermediate host, still having problems, doesn't get it off the queue for a couple of more days. Now the token is a week and a half old, and you've rotated the one you're currently using. You dump this mail as a forgery, when in fact, your user just typed freind@ instead of friend@, and he thinks his friend got his email. While the above is stretch, it's also not unreasonable for a busy mailserver to have messages on the queue for several days due to remote problems. It's not that SPF does nothing, it's just that there are already things that do these kinds of things without breaking things in the way. Exim4 supports 'verify = sender/callout', which checks that both the domain has an MX record, and that that domain accepts mail for that user. that eliminates stuck messages in the queue. You can already reject mail based on mismatched/forged helo strings trivially in many MTA's, just by doing a DNS lookup. This doesn't stop someone from helo'ing as 'client.spammer.adsl.com', and setting a mail from: as joe@aol.com, but it's moving in the right direction, without breaking so many other things. The largeish ISP I do some backend work for rejects about 3 times as much mail as gets through right now, with just these kinds of checks in place. Admittedly, more spam than I would like is still getting through, but we're getting there. -- -------------------------------------------------------------------------- | Stephen Gran | A bird in the hand makes it awfully | | steve@lobefin.net | hard to blow your nose. | | http://www.lobefin.net/~steve | | -------------------------------------------------------------------------- Attachment:
pgpN3jADDe3Hh.pgp
|
|