Auteur: Edgar Lovecraft Date: À: exim-users Sujet: Re: [Exim] Fixing SPF Forward Problem by Reply-to: Hack?
Avleen Vig wrote: >
> On Sun, Mar 21, 2004 at 11:01:01PM +0000, David Woodhouse wrote:
> > > I'm sorry to say this, but a minor inconvenience for
> > > you is not a big deal. There are solutions for the forwarding
> > > problem (which is really the only thing left people can use against
> > > SPF) and that are not hard to implement.
> >
> > There isn't a coherent solution to the forwarding problem which is
> > worth the supposed benefit that SPF offers. A minor inconvenience for
> > me _is_ a problem, because it's the same minor inconvenience for
> > _everyone_ who the SPF-advocates need to upgrade to SMTPv2 -- and that
> > basically means it's not going to happen, I suspect.
>
> My point was simply that the number of people this impacts is
> infinitesimal compared to the number of people SPF can benefit. I *am*
> one of those people, but I know when it's important to make extra effort
> for the greater good. It's called being a good Internet neighbour.
> > > I was sure I had explained it in how it disallows mail from
> > > unauthorized sources. This is more than verifying the sender address
> > > - it is verifying the legitimacy of the relay itself. If most spam
> > > comes from illegitimate relays, SPF does "far more" than just verify
> > > the name of the sender.
> >
> > You still don't say why this is a _good_ thing. We know why it breaks
> > -- but how does it _help_?
> > Please give an example of a spam which would be stopped by SPF but
> > _not_ by other methods of verifying that the address in the
> > reverse-path really is controlled by the actual sender of the mail.
>
> Pick any virus which sends out mail from an infected computer where the
> from address is randomly chosen from the infected user's addressbook.
> These viruses work in two ways:
> Spoofing the from address and mailing out through the ISP's relays
> Spoofing the from address (or not) and mailing out directly to MX SPF
> stops both of these.
>
> Drone PC's (those infected by trojans) which are used to send out spam
> either through ISP relays or directly to MX with spoofed from addresses.
>
> There, you have two examples. :-)
> I cannot let that slide, even though my opinion has been called nieve.
Why use SPF when there is a much simpler approach to those examples.
EVERY ISP should at the very least scan email for viruses before the
message leaves its relay servers, so how does SPF protect what message
scanning does not.
As to 'direct to MX' this is where EVERY ISP should disallow outbound port
25 (SMTP), thus forcing the spam/virus to send either through the relay,
or to another relay that is on a port different than 25 (wich can be
easily tracked). So again, how does SPF help?
My solution proposed above is easier to implement than SPF, and DOES NOT
require 'global compliance' to work, as thse ISP's that do allow 'rouge'
traffic are going to be discredited and 'blacklisted' in their entirety
until the problems are taken care of.
Is this inconvienient to those that do not 'pay for the priviladge' of
running thier own servers (either 'business class connections' or 3rd party
relay server) yes, but so is SPF, and SPF is less friendly to thses people
than my solution (but just with SPF my solution does not 'fix' everything).
Cheers!
--