|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Spammers Skirt IP Authentication Attempts
> Date: Wed, 8 Sep 2004 20:15:01 +0100 (BST) > From: Chris Edwards <[email protected]> > Subject: Re: Spammers Skirt IP Authentication Attempts > > | SPF verification query gets returns one of three kinds of result: > | 1) MISMATCH on point-of-origin vs domain 'authorized' senders. *VERY* > | probably spam. > > Either spam, or almost any item of forwarded mail :-( Beg to differ. Forwarded mail almost always shows an 'envelope from' of the _forwarding_ party. Case in point: all email, sent to nanog is 'forwarded' to me, and the other readers of the list. It has an "inside address" (per the 'From:' header) of whomever authored the message. *BUT*, the 'envelope from', in the SMTP transaction is completely different: <[email protected]> A _successful_ SPF check on 'merit.edu' would, hopefully include 198.108.1.26 (trapdoor.merit.edu) in the list of 'official outgoing mail sources. Ignoring for the moment the fact that Merit hasn't added SPF records to DNS yet. :) Same thing applies for 'simple' forwarding via sendmails '~/.forward' mechanism. the mail server 'accepts' the mail from the original source, and then 're-sends' to the new destination. That re-send originates as the _forwarding_party_, WITH an 'envelope from' of that forwarding party, even though the internal content ofthe message may show a _different_, and unrelated, "From" address. An SPF check of the _immediate_ sender does *NOT* break forwarded mail. Unless the forwarding process is _totally_ borken, that is. <grin>
|