Re: [exim] Sender callout verification on BATV signed addres…

Góra strony
Delete this message
Reply to this message
Autor: Richard Salts
Data:  
Dla: Ian Eiloart, exim-users
Temat: Re: [exim] Sender callout verification on BATV signed addresses
On Mon, 17 Aug 2009 19:38:41 you wrote:
>
> --On 15 May 2009 11:33:15 +1000 Richard Salts <exim@???> wrote:
>
> >
> > I'm not sure that SPF is such a great utility, except for whitelisting
> > valid senders emails. Receiving a message from a host not listed for the
> > domain isn't a good indication that the email is a forgery, as
> > forwarding breaks this assumption.
>
> It's too late to worry about this. Already several important domains
> publish spf records with "-all", and some large email providers like Google
> use spf records in their spam assessments.
>
> You can see a list of top domains with spf "-all" records at
> <http://spf-all.com/>.

The litmus test is not people publishing spf records with -all, but people
rejecting based on this policy. If enough people in a business start
complaining about emails being rejected from a -all policy it's a simple
matter for a local administrator to change it back to ?all.

>
> If you're forwarding mail for your users without rewriting the sender
> domain, then you should expect some of that forwarding to fail.

The problem with this is that if you're forwarding the email around through
too many hops the localpart on the envelope sender is eventually going to be
too long to be a valid email address, especially if you're using a
cryptographic hash in the envelope of the rewritten sender. Not using a hash
opens you up to spammers being able to create backscatter spam through your
forwarding service by forging a bounce to their rewritten sender address.

>
> SPF will cause some pain for the next few years, while forwarders catch up.
> In the end, it'll give us a huge benefit of allowing us to assign
> reputation to a sender address - before we see the body of an email.

A reputation service on sender address would be great. But I don't think it's
that much more helpful than the current ip based reputation services.
Admittedly it's much more intuitive to end users of email, but I think most
of them will probably handball the task to their email administrator, or
would quickly be able to grasp the current disconnect between domain
reputation and ip address reputation.

>
>
> --
> Ian Eiloart
> IT Services, University of Sussex
> 01273-873148 x3148
> For new support requests, see http://www.sussex.ac.uk/its/help/
>