Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [suse-security] Email Spoofing
Date: Thu Jul 22 2004 - 09:37:12 CDT
Quoting Arjen de Korte <suse+securityde-korte.org>:
> In a few years time, the '?all' will become obsolete and '-all' will be all
> that you want at the end of your SPF record. Or risk that people will forge
> mail from your domain.
> Publishing '?all' at the end of your SPF record doesn't break it. If you
> designate legitimate senders, they will pass however.
> I suggest you first read up on SPF before you're making a fool of yourself
> more than you already did. Only when receiving a SPF 'pass', e-mail is
> considered legitimate, SPF 'softfail' and 'neutral' will still be accepted,
> but is not considered to be legitimate. Only in case of SPF 'fail' a message
> should be bounced.
> SPF 'neutral' is NOT considered trusted. And by the time that most hosting
> providers will have switched to remailing instead of forwarding (I know, this
> will take time) 'neutral' and 'softfail' will be almost equivalent to 'fail'
> for Bayesian filters, as spammers and virusses will only be able to get
> through by using domains which default to 'neutral' or 'softfail'.
> > Oh, and I'm not "picturing" it. It actually happened to me. I was a big
> > proponent of the idea of SPF until my customers started complaining.
> You must have published a '-all' at the end of your SPF record and failed to
> oversee the consequenses of doing this.
You seem to be on some sort of holy crusade in regards to SPF. I'm not.
Personally, I'm in favor of just about anything that will reduce spam without
angering my customers. There are far too many people on these holy crusades.
Other people talk about the purity of SMTP and not mixing up layers.
Personally, I don't care. I just want it to work.
I didn't have "?all" in my SPF records because http://spf.pobox.com mentioned
NOTHING about that being away to avoid problems with forwarding. Maybe
somewhere in the mailing list, but not in the main docs and not in the FAQ.
You may have time to go crawling through mailing lists for your pet crusade,
but I don't.
You mention "softfail", "neutral", and "passed", but they're all the same. In
each case, the mail is delivered. Setting "?all" means that anyone can spoof
my domain and it will be delivered. What's the difference between that and
what we have now? Since the large providers use "?all", SPF is at best a
placebo, at worst it breaks legitimate messages.
The docs say, "Do the above lines describe all the hosts that send mail from
your domain? Then use '-all'". All the mail for my domain comes out of a
single network that was specified. I guess you consider someone a fool if they
follow the documentation without reading three thousand e-mails off the mailing
When I heard about SPF, it sounded like a good idea, so I decided to post my
mail network as the only trusted network for my domain, figuring that it
couldn't cause any harm and might help some other people out. I decided that
later, after SPF had matured, that I would look into using it to block e-mail
on our own servers. Unfortunately, the first step didn't work out.
I'm just a sysadmin. I don't have a cause. I just want things to work. I
would love SPF to work. But I don't have time to spend weeks on your pet
I don't understand why SPF blockers don't simply check ALL of the received
headers and "pass" if the proper mail server is anywhere in the chain. It's a
simple and obvious fix for the problem of forwarding without forcing anyone to
change their mail servers...
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here