[Mimedefang] SPF and really stupid mailers

Steffen Kaiser skmimedefang at smail.inf.fh-bonn-rhein-sieg.de
Thu Jul 13 03:44:51 EDT 2006 

On Wed, 12 Jul 2006, David F. Skoll wrote:

> WBrown at e1b.org wrote:
>
>> This morning, I had an issue come up with a customer involving
>> Hallmark.com trying to send a greeting card through our filters.
>> Apparently Hallmark uses the email address of the sender as entered on the
>> web form as the SMTP  Mail From: data.  That's all well and good until
>> someone uses a domain like Adelphia.net who has an SPF record that says
>> "-all".  General practice is to add 5 points for SPF hard failures like
>> this, so the message eventually bounces.
>
> This is a perfect illustration of why SPF is broken.

Well, you can turn around this problem into: This is why SPF cannot work, 
because not everybody implements it.
SPF papers themselves tell what to do - the way you've outlined below 
yourself: 
Each sender must use a MAIL FROM he controls! No "sending on behalve of"s.

eGreating cards and similar ones are one thing, but this problem also 
applies to forwards (aliases) and roaming users using ISP's SMTP servers 
forcibly. Latter ones struck me more.

Actually, I wish OpenSource and free software had adopted PGP years ago in 
an user-friendly manner - not to verify the particular unique _person_, 
but sender. (I mean, if the signature matches, you still not know if the 
person really is named as written in the key.)
Of course, in a world full of zombies and bots, neither PGP nor SPF help 
much.
Bah, just read this headline: "PGP & GPG Email for the Practical Paranoid" 
- one must be paranoid to care about mis-use? :-(

> I don't handle them particularly.  I would petition Hallmark to use
> something like greeting-card-bounce at hallmark.com as the envelope
> sender and the entered e-mail address as the From: header.  You might
> want to try that.

SPF suggests that bounces are relayed by "on behalf of" senders, e.g.

MAIL FROM: origBox%origDomain%bounce at example.com
...

500 failed

then the example.com relays the bounce further to
origBox at origDomain.

Forwarding / Aliases is to handle the same!? :-(

Bye,

-- 
Steffen Kaiser

More information about the MIMEDefang mailing list