North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: ISP phishing
On Wed, 29 Jun 2005, Peter Corlett wrote: > Tony Finch <[email protected]> wrote: > [...] > > Actually, what you have to guarantee is that you never send email to > > anyone who forwards their email elsewhere. This is impossible. > > How do you figure that? > > The failure mode in this case is if somebody arranges "dumb" mail > forwarding that doesn't do envelope rewriting, and also applies a SPF > filter on their incoming mail. The problem is quite clearly of the > recipient's making rather than any fault of the sender's. Most forwarding services do nothing but change the envelope recipient address, and this has been standard practice for many many years. Sites that do SPF checking on incoming email must take this into account if their users forward email from elsewhere. However most sites do not do so, partly because the SPF documentation doesn't make it clear that they must, and partly because it's basically impossible - for every user that forwards email to your site you must whitelist the IP addresses of the forwarding mail servers, and you can't find out what those IP addresses are or when they change. So if a site that checks SPF can't work around the forwarding problem, can a site that publishes SPF? No, because a sender at a publishing site can't find out if a recipient is suffering from this breakage. The only solution is for the SPF checking recipient site to make it clear to their users that they must not forward email from elsewhere. However most sites do not do this. Tony. -- f.a.n.finch <[email protected]> http://dotat.at/ BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR GOOD.