Author: Graeme Fowler Date: To: exim users Subject: Re: [exim] Alias to external server and SPF failure
On Sun, 2010-05-23 at 17:48 -0400, W B Hacker wrote: > And probably would still do so even if 100% of the 'proper' smtp world published
> such records, simply because WinBots will not.
But... you don't know that.
For any domain that publishes an SPF record, there is a finite (and
growing) chance that a bot or trojan will attempt to use an address
within that domain as a sender address.
*That* is what SPF is all about: forgeries.
Hypothetical example: I register example.com. I provide an SPF record of
"-all" for example.com, which means "this domain does not send email". I
also publish an address for people to send *to* - hell, say,
postmaster@???.
Imagine an outbreak (it's not very hard) of a bot within a corporate
network. These are hosts behind a NAT firewall, forced to send via
Windows group policy via a local authenticated SMTP gateway. The bot
uses the corporate policy to send junk via the corporate mail gateway
using someone's credentials.
Eventually, the bot uses postmaster@??? as the sender address.
Everyone using SPF on inbound mail has their MTA say "whoa, this domain
uses -all, go away" after only a couple of lookups - or even after only
one.
I appreciate that the SPF Kool-Aid is strong on the "this is the
solution" side (or at least it was), which seems to make arguing for SPF
a weak exercise; however on the flip side the "SPF is a complete waste
of time" is just as weak.
SPF has its place. Don't discount it just because a number of loud
voices on both ends of the argument make vociferously opposing points -
the middle ground, as per usual, is where it's at.
rDNS is not the solution. It isn't even a decent placebo - and neither
is SPF. But in conjunction they can (and do) work fairly well; added to
other checks they work even more accurately.