Re: [exim] Alias to external server and SPF failure

Top Page
Delete this message
Reply to this message
Author: Graeme Fowler
Date:  
To: exim users
Subject: Re: [exim] Alias to external server and SPF failure
On Sun, 2010-05-23 at 17:48 -0400, W B Hacker wrote:
> And probably would still do so even if 100% of the 'proper' smtp world published
> such records, simply because WinBots will not.


But... you don't know that.

For any domain that publishes an SPF record, there is a finite (and
growing) chance that a bot or trojan will attempt to use an address
within that domain as a sender address.

*That* is what SPF is all about: forgeries.

Hypothetical example: I register example.com. I provide an SPF record of
"-all" for example.com, which means "this domain does not send email". I
also publish an address for people to send *to* - hell, say,
postmaster@???.

Imagine an outbreak (it's not very hard) of a bot within a corporate
network. These are hosts behind a NAT firewall, forced to send via
Windows group policy via a local authenticated SMTP gateway. The bot
uses the corporate policy to send junk via the corporate mail gateway
using someone's credentials.

Eventually, the bot uses postmaster@??? as the sender address.

Everyone using SPF on inbound mail has their MTA say "whoa, this domain
uses -all, go away" after only a couple of lookups - or even after only
one.

I appreciate that the SPF Kool-Aid is strong on the "this is the
solution" side (or at least it was), which seems to make arguing for SPF
a weak exercise; however on the flip side the "SPF is a complete waste
of time" is just as weak.

SPF has its place. Don't discount it just because a number of loud
voices on both ends of the argument make vociferously opposing points -
the middle ground, as per usual, is where it's at.

rDNS is not the solution. It isn't even a decent placebo - and neither
is SPF. But in conjunction they can (and do) work fairly well; added to
other checks they work even more accurately.

Graeme