[ On Sunday, March 21, 2004 at 09:55:10 (+0000), David Woodhouse wrote: ]
> Subject: Re: [Exim] Fixing SPF Forward Problem by Reply-to: Hack?
>
> That's the problem that SPF tries to solve -- but with a solution which
> works _now_ without the breakage of SPF. You _instantly_ stop getting
> bounces to fake mail, without anyone else having to do _anything_. And
> many people also stop receiving the fake mail claiming to be from you,
> if they're doing callouts.
Unfortunately the problem with forged sender addresses isn't stopping
any attempts of receiving fake mail claiming to be from you, it's
stopping many millions of other servers from receiving messages using
your address or any addresses in your domain that you didn't send so
that they don't feel they have to generate a new bounce message and send
it back to your server if the recipient address they accepted turned out
to be invalid.
As I said I've directly identified well over three million active mail
servers which send bounces to forged addresses, and all of these servers
are in use daily by spammers attacking others through this most
effective, distributed, and essentially unstoppable, flaw, er, mechanism.
The only solution to this problem is to convince _all_ of the
administrators of those _millions_ of other servers to fix their
software so that it will reject undeliverable mail during the initial
SMTP transaction. The only way to do that with any chance of success is
to somehow force all MTA software "vendors" to fix their software so
that it can only work that way and to also force the commercial vendors
to provide free and timely updates with this fix incorporated which
their users will be somehow contractually required to install. Yeah,
right, what am I thinking? I guess the only real solution is to stop
the spammers completely in the first place. Well one can only hope and
work towards such a goal, even if it seems unreachable.
Even Exim can very trivially be mis-configured to accept mail that it
cannot deliver and thus must bounce (and several of the most abusive of
those three million mis-configured servers are running Exim). Note that
attempting to do sender address verification _does_not_help_ either
since forged addresses are still valid addresses.
--
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <woods@???>
Planix, Inc. <woods@???> Secrets of the Weird <woods@???>
