Mailing List Archive: SPF: SRS

"send to a friend" from websites

Index | Next | Previous | View Threaded

rmalayter at bai

May 18, 2004, 9:17 AM

Post #1 of 5 (2223 views)
Permalink

"send to a friend" from websites

We have published SRS records, and they are tested and working fine.

However, we have "send this article to a friend" functionality on our
website, which runs Win2k. We use the CDOSYS and .NET System object
models for sending emails from these web servers.

Currently, we set the "From:" property of the message as the third-party
person's name, and then added a "Sender:" header indicating it came from
our web servers. This gives us the nice, logical "From:
<webservers [at] bai> On Behalf Of Joe Schmoe" in most MUAs.
"
However, I believe just setting the "From" field in CDO or .NET sets
both the envelope *and* header "From:" to the third-party person. This
is not in line with SPF as far as I can tell, since we are periodically
sending messages from our MTA with non-bai.org envelope senders.

From what I've read on the SPF site, I think I should be setting the
envelope sender to "webservers [at] bai", setting the "From" header to
the third party, and adding our "sender: <webservers [at] bai>" header as
before. Is this correct? If so, does anybody know how to control the
envelope sender independently from the From header in CDO? Do I set the
message object's FROM property to our web server address, then add a
"From:" header? Is there site out there where I can send a message to
see what both the envelope and headers look like?

Or do I need to use SRS for this to properly relay bounces to the third
party? I think I'm supposed to, but I do not have any SRS implementation
installed on these Win2k MTAs. Would it be against RFCs to ignore the
bounces? I mean, the webservers [at] bai is a valid address, so the
outgoing message does have a valid return path. We don't really care if
the third party ever sees the bounces.

Thanks for any help... I'm disappointed I couldn't figure this out on my
own from the documentation on SPF and other sites, but the documentation
seems to be a bit scattered over several sites. Perhaps the draft RFC
might help me? Is it available yet online? Or does that not include this
sort of information?

Thanks again,

Ryan Malayter
Bank Administration Institute
Chicago, Illinois, USA
PGP Key: http://www.malayter.com/pgp-public.txt
=========================
All problems can be solved by diplomacy, but violence and treachery are
equally effective, and more fun.
-Anonymous

stuart at bmsi

May 18, 2004, 11:21 AM

Post #2 of 5 (2104 views)
Permalink

Re: "send to a friend" from websites [In reply to]

On Tue, 18 May 2004, Ryan Malayter wrote:

> Or do I need to use SRS for this to properly relay bounces to the third
> party? I think I'm supposed to, but I do not have any SRS implementation
> installed on these Win2k MTAs. Would it be against RFCs to ignore the
> bounces? I mean, the webservers [at] bai is a valid address, so the
> outgoing message does have a valid return path. We don't really care if
> the third party ever sees the bounces.

You might be able to use a Python SRS implementation on Windows - which
has will supported Python VMs: http://www.bmsi.com/python/pysrs.html

I can think of several levels of support for your site:

1) Use webservers [at] bai as sender, accept bounces, and save them
to a mailbox where they can be examined and forwarded manually and/or
expired after a time limit.

2) Like 1, but examine the bounce to find a custom X-ForwardedSender header
where you saved the purported sender. You might want to add a crypto
cookie to your X-ForwardedSender header to prevent spammers from
using your system for a relay. (Similar to SRS, but doesn't involve MTA.)

3) Do some checks on the sender before accepting it. Make sure it is
not blacklisted. If the sender does not publish SPF, then use it as
is instead of webservers [at] bai If the sender begins with SRS or SES,
then validate it via CBV, and if it checks out, use as is. Otherwise,
proceed as in 1 or 2.

4) Proceed as in 3, but use SRS instead of 1 or 2. This requires you
to integrate SRS with your MTA.

--
Stuart D. Gathman <stuart [at] bmsi>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

rmalayter at bai

May 18, 2004, 1:26 PM

Post #3 of 5 (2122 views)
Permalink

RE: "send to a friend" from websites [In reply to]

[Stuart D. Gathman]
>You might be able to use a Python SRS implementation on
>Windows - which has will supported Python VMs:
>http://www.bmsi.com/python/pysrs.html

There are good Perl interpreters for Windows as well. I like Python much
better, though. Still, integration with the MTA is hard. The concept of
an "event sink" API exists for adding hooks into the Windows SMTP
services, but I am not too familiar with that. Is there an SRS-enabled
SMTP proxy available out there? That would seem ideal, and would work
with any MTA if written in a cross-platform language like Python.

>1) Use webservers [at] bai as sender, accept bounces, and save them
>to a mailbox where they can be examined and forwarded manually and/or
>expired after a time limit.

I like that idea; it would enable us to eliminate the majority of the
problem and only handle outlying cases. Traffic is not high, so our
customer service people could take care of this easily. And I don't have
to mess with gluing experimental code into my MTA.

>
>2) Like 1, but examine the bounce to find a custom
>X-ForwardedSender header
>where you saved the purported sender. You might want to add a crypto
>cookie to your X-ForwardedSender header to prevent spammers from
>using your system for a relay. (Similar to SRS, but doesn't
>involve MTA.)

If I was going to do that much coding, I would just try to do full SRS
by writing my own even sinks for the Windows SMTP server, I think.

>
>3) Do some checks on the sender before accepting it. Make sure it is
>not blacklisted. If the sender does not publish SPF, then use it as
>is instead of webservers [at] bai If the sender begins with
>SRS or SES,
>then validate it via CBV, and if it checks out, use as is. Otherwise,
>proceed as in 1 or 2.

Interesting.

>
>4) Proceed as in 3, but use SRS instead of 1 or 2. This requires you
>to integrate SRS with your MTA.

Maybe. Hopefully my anti-spam vendor will support SPF+SRS in their next
release. They already use event sinks to call their filter, so they
could definitely handle this sort of thing. They'll want to add SPF
checks into their filters anyway. I'll make the suggestion to them.

Thanks for your help,
Ryan

stuart at bmsi

May 18, 2004, 2:01 PM

Post #4 of 5 (2075 views)
Permalink

RE: "send to a friend" from websites [In reply to]

On Tue, 18 May 2004, Ryan Malayter wrote:

> >where you saved the purported sender. You might want to add a crypto
> >cookie to your X-ForwardedSender header to prevent spammers from
> >using your system for a relay. (Similar to SRS, but doesn't
> >involve MTA.)

> If I was going to do that much coding, I would just try to do full SRS
> by writing my own even sinks for the Windows SMTP server, I think.

The Python, Perl, or C (libspf or libspf-alt) libraries all transform
a sender to an SRS sender and vice versa. If your application is
already generating an email, it is trivial to add the header.
Finding the header in an rfc822 attachment is pretty trivial with the Python
email library - don't know about Perl or C. I think Javamail is not
too bad either. (What is your application written in?)

But then, those Windows SMTP "events" sound a lot like sendmail milters -
and would be a pretty flexible way to go.

--
Stuart D. Gathman <stuart [at] bmsi>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

rmalayter at bai

May 19, 2004, 9:10 AM

Post #5 of 5 (2069 views)
Permalink

RE: "send to a friend" from websites [In reply to]

[Stuart D. Gathman]

>(What is your application written in?)

My application is written in C# and VB.NET, which have pretty robust
object models for messaging, base64 decoding, regex searching, etc.

> But then, those Windows SMTP "events" sound a lot like
> sendmail milters -
> and would be a pretty flexible way to go.>

It is a publicly documented API, and MS doesn't change these too often,
other than to add functionality. Heck, they still support things like
DAO (not ADO) and ODBC for database access, 10+ years later. One thing
MS usually does well (often to the detriment of security and code bloat)
is make most of their new stuff backwards compatible.

Here's a link that describes the SMTP event sink interface:
http://tinyurl.com/29765
Currently, you have to use a COM wrapper if you want to use a .NET
language, although I imagine a native .NET interface might be there in
Windows Server 2003. Perhaps it would be worth writing a simple GPL
Vbscript implementation to the Python/Perl reference implementations. I
will put that on my (long) list of things I want to do.

Thanks for your help.

I hate cross-posting in general, but do you think posting to the general
SPF list might be a good idea? I'd just like confirmation that my
proposed envelope sender, "From:" header, and "Sender:" header are the
correct way to handle this in light of SPF. Or did you indicate that my
proposed scheme (envelope=bai.org,From header=thrid pary, sender
header=bai.org) was correct with your suggestion #1?

Regards,
Ryan

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads