[Mimedefang] SPF Usefulness (was Re: SNARE spam detection)

Paul Murphy Paul.Murphy at argentadiscovery.com
Thu Jul 30 05:39:08 EDT 2009



>> Not really.  SPF applies to envelope senders; people's mail clients
>> show the header senders.  So you can have MAIL FROM:<spammer at throwaway.net>
>> and From: <servce at intl.paypal.com> with an SPF pass. :-(

> However, it is possible to notify end-users about this case. Once I placed 
> the MAIL FROM into the subject, if the addresses differ, but this caused 
> lots of grief with mailing lists.

> I wonder why so few MUAs show a notice, when Return-Path and From differs. 
> - - Actually I remember this only on Webmail.

Exactly - if I could verify that the claimed sender was indeed the actual sender, many of my problems would be removed instantly.

Similarly, if you are not already doing some scoring based on whether the envelope sender, message From: and Reply To: headers bear some resemblance to each other (same domain is normal, cross-domain is suspicious), then you'll be seeing a lot of leakage.  I add to the SA score manually if the domains are different between the envelope sender and the From, and add a smaller amount if the From: and Reply-To headers give different domains - there are legitimate messages which have this, but they're rare in my experience.

Worst case is envelope sender of <spammer at gmail.com>, which has a valid SPF record, then the From: says <security at yourbank.com>, while the Reply-to: is <throwaway at hotmail.com> 

Paul.


_______________________________________________________________________
Argenta Discovery Ltd, 8-9 Spire Green Centre, Harlow, Essex, CM19 5TR
Registered in England No. 3671653
_______________________________________________________________________ 




More information about the MIMEDefang mailing list