Re: [exim] SPF Feature - Walk Received header

Peter Bowyer wrote:
> On 07/05/2009, Marc Perkel <marc@???> wrote:
>
>> I'm not currently using SPF but I thought of a feature that mught make
>> SPF useful. If there were a test that checked all the received lines and
>> returned true if any host matched the SPF record it might eliminate the
>> forwarding issue that SPF breaks.
>>
>
> That would leave a gaping barn-door-sized hole in SPF - a forger could
> look up the SPF record for the domain he was forging, and add a forged
> Received header claiming the message had been originated correctly.
>
> I guess you could apply this rule to a small whitelist of trusted
> forwarders, though. But those people should be using SPF/SRS
> themselves (mine do).
>
> Peter
>
>

Granted that a spammer could forge received headers. Most don't. I'm
thinking that not bouncing forwarded email is better than the few
spammers who sneak through. And if a spammer is forging received lines
that might be detectable if they don't do a good job of it. I think it
would be a useful feature if it were in there.