Hi all
Apologies if this has been covered, read the SPF spec, looked through the
archives of this list, but found nothing on this topic.
Basically as I see it, to do any checking SPF requires a domain, either
optionally from the HELO/EHLO command, or from the MAIL command.
However from the SPF spec, any spammer can get around SPF simply by
a) not providing a FQDN in the HELO/EHLO command (since this is not
mandated by RFC 2821); and
b) specifying a blank return path in the MAIL command.
Since RFC 2821 mandates that any MTA must accept mail with a blank return
path, therefore there is no domain to check with SPF, and thence the spam
floods in.
We see this empirically with our server. Shutting off blank return paths
reduces our spam intake dramatically.
However people who choose to administratively ban blank return paths simply
get blacklisted on various lists of dubious merit for non-compliance.
I found a discussion of blank return paths conspicuously absent from the
draft SPF spec I read, although it makes reference to other policy
decisions of the receiver.
Are there any comments from the authors of the spec on this particular issue?
Or are we basically just out of luck until SMTP is properly repaired some
time after pigs fly over a frozen hell (shortly before IP6 is rolled out
world-wide) :)
Cheers
Adrien de Croy
------------------------------------------------------------------------
Adrien de Croy Qbik New Zealand Limited
The makers of WinGate, and WinGate VPN.
http://www.qbik.com/
------------------------------------------------------------------------
check out the new WinGate website http://www.wingate.com
------------------------------------------------------------------------
-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
Apologies if this has been covered, read the SPF spec, looked through the
archives of this list, but found nothing on this topic.
Basically as I see it, to do any checking SPF requires a domain, either
optionally from the HELO/EHLO command, or from the MAIL command.
However from the SPF spec, any spammer can get around SPF simply by
a) not providing a FQDN in the HELO/EHLO command (since this is not
mandated by RFC 2821); and
b) specifying a blank return path in the MAIL command.
Since RFC 2821 mandates that any MTA must accept mail with a blank return
path, therefore there is no domain to check with SPF, and thence the spam
floods in.
We see this empirically with our server. Shutting off blank return paths
reduces our spam intake dramatically.
However people who choose to administratively ban blank return paths simply
get blacklisted on various lists of dubious merit for non-compliance.
I found a discussion of blank return paths conspicuously absent from the
draft SPF spec I read, although it makes reference to other policy
decisions of the receiver.
Are there any comments from the authors of the spec on this particular issue?
Or are we basically just out of luck until SMTP is properly repaired some
time after pigs fly over a frozen hell (shortly before IP6 is rolled out
world-wide) :)
Cheers
Adrien de Croy
------------------------------------------------------------------------
Adrien de Croy Qbik New Zealand Limited
The makers of WinGate, and WinGate VPN.
http://www.qbik.com/
------------------------------------------------------------------------
check out the new WinGate website http://www.wingate.com
------------------------------------------------------------------------
-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com