Autor: Avleen Vig Data: A: David Woodhouse CC: Avleen Vig, exim-users Assumpte: Re: [Exim] Fixing SPF Forward Problem by Reply-to: Hack?
On Sun, Mar 21, 2004 at 10:39:39PM +0000, David Woodhouse wrote: > > You seem to believe that it is valid for (example) somebody@??? to
> > run an MTA on his local machine and send mail out with:
> > mail from: sombody@???
> > This should not be happening.
>
> Wrong. That kind of thing has _always_ happened and always been
> considered valid in the real world -- just not in the Brave New World of
> SPF.
> It happens especially in the case of mail forwarding, where
> somebody@??? sends mail to one of my local users with a .forward
> file, and then my system sends the mail on.
Your system, if the true relay for the domain, shouldn't have a problem.
Otherwise implement smarthosting.
What USED to be acceptable in the "real world" needs to change. We
accepted a change to close open relays, now we must accept further
change. Spam is a serious problem that costs companies more money than
you can imagine. I'm sorry to say this, but a minor inconvenience for
you is not a big deal. There are solutions for the forwarding problem
(which is really the only thing left people can use against SPF) and
that are not hard to implement.
> > This is the same behaviour as used by
> > trojan MTA's which send spam. I believe they now account for the
> > majority of spam sent outbound and am in the process of gathering the
> > imperical data to back this claim up.
>
> What would be the point in that? It shows nothing.
> We _agree_ that spammers use faked addresses in reverse-paths without
> the consent of the 'owner' of the address in question. The reverse-path
> is, in that context, 'invalid' for the mail. I agree that some way of
> rejecting these mails is useful.
>
> But you have asserted that SPF does "FAR more than just verify the
> sender's address". This is true -- SPF rejects a lot of valid email too.
> You were asked to explain what else SPF does; be explicit about this
> 'FAR more' that it does, and why it's of benefit. You haven't done so.
I was sure I had explained it in how it disallows mail from unauthorized
sources. This is more than verifying the sender address - it is
verifying the legitimacy of the relay itself. If most spam comes from
illegitimate relays, SPF does "far more" than just verify the name of
the sender.