paul_d_smith at hotmail
Jul 8, 2009, 1:09 AM
Post #5 of 15
Comments below. I can only assume I'm missing some key element of SPF at
present because I can't see how SPF is a powerful solution to a problem.
Perhaps my comments and questions below will help us get to a common
understanding. Look for [PDS].
From: "Vic" <spf1 [at] beer>
Sent: Wednesday, July 08, 2009 8:24 AM
To: <spf-help [at] v2>
Subject: Re: [spf-help] SPF and usernames
>> Thanks for that. I was thinking about this more last night and I think,
>> least for what I want, SPF records don't work
> SPF records *do* work. They just take a little thinking about when you
> want to do the opposite of what they're designed for.
>> Any e-mail to "paul [at] organisation" gets forwarded to (say)
>> "paulshotmail [at] hotmail". I can control where the e-mail goes, but
>> that's it.
> First off, you'll find you get a much higher standard of assistance if you
> refrain from telling us porkies. My money's on you not owning
[PDS] Since SPF records are open, the domain is "enfieldlibdems.org.uk", not
that this information should have any bearing on the question whatsoever as
the logic and requirements are the same.
>> The problem is that I only seem to be able to use SPF records to allow
>> ANYONE using a Hotmail account to send on behalf of
>> paul [at] organisation
>> "This is totally bogus man" because paul [at] organisation is a
>> address and any SPAMmer with half a brain will check the SPF records for
>> organisation.org and figure out they can use Hotmail to SPAM out
>> pretending to be me.
> Had you read the mail to which you replied, you'd see that this is not the
> case; SPF record clauses can have positive, negative, neutral, or
> uncertain qualifiers. Since what you want is for Hotmail's servers to be
> seen neither as positive nor as negative, one of the latter two types
> would seem appropriate.
[PDS] So the SPF solution to my problem is to render SPF completely
meaningless? Doesn't "neutral" or "uncertain" merely push the problem of
deciding "should I accept this e-mail" back on the recipient, which would
have been the case were there no such thing as SPF?
>> It seems that SPF records are simply a curse for me and have completely
>> me off from the e-mail world and there is absolutely nothing I can do
>> about it.
> That's incorrect.
>> So, anyone got a bright idea? At present SPF records simply look like
>> another failed attempt at anti-SPAM to me
> And this is at the root of your problems: SPF is *not* an anti-spam
> measure, it's an anti-forgery measure.
[PDS] I fail to see such a clear distinction between SPAM and forgery. In
almost all SPAM e-mail whichi I receive, the sender and from addresses are
also forged and SPAM and forgery are one and the same for me.
[PDS] There is a technical split in that I might decide to send a single
e-mail pretending to be you and this would be forgery but not, perhaps,
SPAM, but I still don't understand how SPF is a good solution to this. If I
really care if it's you, or not, I would use public/private keys to confirm
the senders identity which seems to be a much stronger check of your
>> because they only work if the
>> "alternate domain" is very small and very tightly controlled.
> This is incorrect too.
[PDS] Please provide a counter example because I'm afraid I just don't see
it. Perhaps I've misunderstood what SPF does because I think it says "this
e-mail originated from domain X.com but claimed to be sent on behalf of
someone in Y.com; Y.com has said this is OK". Now unless the users of Y.com
can restrict who sends from X.com, the opportunity for forgery remains.
>> I would submit that that is rarely the case.
> I would submit that fixing your issue is relatively straightforward, but
> will not be effected by throwing your toys out of the pram.
[PDS] As I said above, perhaps you can provide me with an example please
than indicates why SPF is so powerful because at present I just don't see
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com