spf.pobox at logicalsolutns
Jul 13, 2009, 7:01 AM
Post #3 of 5
(1110 views)
Permalink
|
At 03:49 AM 7/13/2009, you wrote:
>My answer to your question this is:
>
>- I accept that spoofing is a problem and a solution would be good.
There will probably never be 'a single' solution.
So we are left with using various combinations of solutions to get as close as possible to the ultimate goal.
>- I accept that SPF reduces the scope of the problem a little.
>
>- But spoofing can also be very legitimate, as SPF permits.
I think you mean "AND spoofing can be legitimate, as SPF permits."
>The problem is that SPF only limits spoofing by domain and not by user (and I appreciate that the latter is technically almost impossible at present). ISPs are (rightly I suppose) trying to use SPF to reduce SPAM through their systems but they are, quite sensibly, blocking ensitre domains such as Hotmail.com - the very same free domains that small users such as myself rely on using.
ISPs that are using SPF will not block your HOTMAIL-spoofed email (due to SPF), unless you have configured SPF for your domain, thus requesting that they do so.
>So whilst SPF clearly does solve one problem, it creates others. As it stands, SPF means I cannot send "personal" e-mails during my lunch hour (actually on behalf of a small political organisation) because of a combination of blocked POP3/SMTP access by my employers and now SPF meaning I can't use the "spoofing" Hotmail account that I've used for the last 4 years to achieve this via the web.
As long as we agree that it doesn't prevent you from sending email.
Technically, if your employer has blocked SMTP, it probably means they do not want you sending email from work. So using the Hotmail website may actually be circumventing their policies.
Secondly, your ISP (or your domain's mail server) probably also has webmail functionality. In which case, you could send mail directly from your domain and not need hotmail.
Thirdly, your ISP (or your domain's mail server) should have port 587 open for relay mail authentication. Port 587 is used for sending/relaying mail to/through a mail server using authenticated sessions.
Southwestern Bell (and AOL I believe) block port 25 going out of their network, but they do not block port 587. So my customers are unable to use outlook to send mail through my server on port 25, but they can easily change that to port 587 and send mail successfully.
SPF does not prevent you from using Hotmail, and there are probably much better (more professional) methods available to you than Hotmail.
As for specific user exceptions, I would recommend looking into Domain Keys as yet another contribution to reducing spam.
Note, installing neither SPF nor Domain Keys will reduce your spam. Both are things that you do to help other people reduce the amount of spam they accept.
The fact that it requires action (installation) on the part of someone else, in order for you to achieve any benefit is why SPF (and/or Domain Keys) will probably never be "the" ultimate solution.
-john
>I wonder if there is mileage in the following extension to SPF based on a chain of trust?
>
>1. As now, SPF validates a domain (say Hotmail.com) as being able to spoof on behalf of X.com
>
>2. Having now trusted Hotmail.com, and been happy that the sending server IP does identify Hotmail, expect and trust Hotmail to also provide a specific "this is the real sending user" header (Hotmail in fact already does this using the "X-Originating-Email" header).
>
>[.Aside - SPFv2 should define this new header and it should be proposed as an extension to base e-mail].
>
>3. Now you can validate on a per-user basis.
>
>Paul DS.
>
>--------------------------------------------------
>From: "Prashanth Chengi" <prashanthd [at] cdac>
>Sent: Wednesday, July 08, 2009 5:54 PM
>To: <spf-help [at] v2>
>Subject: Re: [spf-help] SPF and usernames (fwd)
>
>>Paul, I really don't see where your argument is headed. Without SPF, the whole world can spoof your domain and get away with it. With a proper SPF policy which allows the hotmail servers to send on your behalf, you can restrict possible spoofing to hotmail servers only, while the others' attempts to spoof get junked (if the recipient is using SPF checking, that is). Isn't this beneficial? You stand to gain and not lose by implementing SPF, so what is the need to term SPF a curse?! Sheesh!
>>
>>Regards,
>>Prashanth Chengi
>>National PARAM SuperComputing Facility
>>System Administration and Networking Group
>>C-DAC Pune
>>Ext-183
>>Mob: 09766044870
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org
>Modify Your Subscription: http://www.listbox.com/member/
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com
>
>
>No virus found in this incoming message.
>Checked by AVG - www.avg.com
>Version: 8.5.375 / Virus Database: 270.13.12/2234 - Release Date: 07/12/09 17:56:00
|
