Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SPF>
  3. Discuss
is there a better solution than sender rewriting?
mengwong at dumbo
Oct 6, 2003, 11:06 AM
Post #1 of 3 (1714 views)
Permalink
This thread from the qmail list

http://www.ornl.gov/cts/archives/mailing-lists/qmail/2003/10/msg00257.html

is worth reading; it revisits the greatest objections to SPF. They are
valid concerns and I wish we had better answers to them.

| Hello,
|
| Slashdot just pointed me to <[10]http://spf.pobox.com/>, which has me
| disturbed.
|
| The basic idea of SPF is to prevent spoofed return addresses, by adding a
| DNS entry of the form IP.in-addr._smtp_client.DOMAIN with TXT field of
| "spf=allow" to authorize that IP to send email with user@DOMAIN as the
| envelope sender.
|
| Naturally this bothers me greatly, since I use DynDNS to run my own email
| server over a DSL line.

DynDNS has told me privately that they plan to publish SPF records for
user domains, so this problem is solved.

| In addition, I notice that the author seems quick to suggest
| ill-thought-out schemes. For example, SPF as described above breaks all
| relaying, such as that done by pobox.com, and he has an elaborate scheme
| of return-address rewriting so that each relay modifies the envelope to
| end in a domain it was authorized for. He then remarks, as if this is an
| insignificant detail, that "In practice, an additional cookie is required
| to limit the validity of the rewritten address; otherwise, SRS leads to
| open relaying."

On Jul 22 2003, hp.com rejected mail coming from a pobox.com IP because
the envelope sender was yahoo.com.

<istvan.szucs@hp.com>: host smtp.hp.com[192.151.81.13] said:
554 <jasperii@yahoo.com>: Sender address rejected:
This yahoo.com mail didn't really arrive via a yahoo.com mail server

I am told uol.com.br is doing the same thing now.

So even if nothing comes of SPF, it looks like pobox.com would have to
implement sender rewriting anyway.

| What's particularly scary here is that there may be a good idea hidden
| under the author's muddy thinking--but it isn't what this author is
| proposing. The only way to beat this guy might be to join him, and help
| him work the kinks out of his idea.

This is what the spf-discuss mailing list is for. Already we have made
many improvements to the basic SPF concept thanks to the community.
Thanks to Slashdot there are now twice as many people on the list, so I
expect SPF will get twice as good soon! I agree that I am a muddier
thinker than most, so any clarification is certainly welcome.

|
| The relay issue, on the other hand, I see no good solution for.
|

Sender rewriting sucks. If there's a better solution, I'm all for it.

Meanwhile, we've already written the module, and after we've tested it,
we'll upload it to CPAN.

The disadvantages of the new paradigm must be weighed against the old.
Yes, pobox.com will be forced to do sender rewriting. True, eBay will
no longer be able to legitimately forge addresses. There are other
downsides.

But this is the cost of change; for a reduction in spam, is the price
worth paying?

Debate arises. Some say yes, some say no.

This is why SPF is a voluntary mechanism.

If a domain would be hurt by publishing SPF records, don't publish them.

If a user would be hurt by performing SPF checks, don't perform them.

If an ISP would hurt some of its users by publishing SPF records, the
market will decide.

The exception is forwarding services: for them, the world is moving on,
and they need to move with it. Hence sender rewriting.

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡
Re: is there a better solution than sender rewriting? [ In reply to ]
twilde at dyndns
Oct 6, 2003, 12:04 PM
Post #2 of 3 (1664 views)
Permalink
Meng Wong Wrote:

> DynDNS has told me privately that they plan to publish SPF records for
> user domains, so this problem is solved.

I'm not entirely sure what you mean by this. We don't support TXT records
for free hostnames (somehost.dyndns.org), and don't currently have plans
to do so. It would seem that the original poster's concern is that we
might put in SPF records for dyndns.org, and that this would then cause
their e-mail to break. For that reason I don't think we could ever
implement SPF on the domains we provide dynamic/static DNS service to,
without some significant changes to our systems, which we don't have any
current plans to make.

We do, however, support TXT records in our Custom DNS service
(for people using their own domains) and have altered our input checking
to allow for the creation of the records needed for SPF - so that's
available and working now.

Tim Wilde

--
Tim Wilde
twilde@dyndns.org
Systems Administrator
Dynamic DNS Network Services
http://www.dyndns.org/

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡
Re: is there a better solution than sender rewriting? [ In reply to ]
rkroll at exploits
Oct 6, 2003, 12:19 PM
Post #3 of 3 (1668 views)
Permalink
Meng Weng Wong wrote:

> Sender rewriting sucks. If there's a better solution, I'm all for it.

I assume that most of your difficulties stem from the forwarding problem.
I have a few forwarder accounts on my own system for some of my friends.
They will eventually have problem getting mail, since 65.64.162.194 is not
a valid sender for all of the domains which mail them.

Since SPF is something that involves changes on the receiving end and not
the forwarder, why not specify something that should be installed at the
same time? That is, when you install SPF, you'd better give your users
some way to whitelist specific recipient e-mail addresses, or it's not
going to work.

Here's the idea. First, some background:

- The account on my server is friend@example.exploits.org
- It currently forwards to friend@isp.example.com

For my case, he could just whitelist the IP address of my server. It's a
hack, but it would work, since this is the only box who would ever mail
him, and nobody on my system is going to spam him.

I realize there are many cases where this won't work, whether for
technical reasons for idealogical ones. Maybe you don't like whitelisting
entire hosts, or you don't want everyone on those hosts to be able to mail
you. For this, you do something different.

Instead of forwarding to friend@isp.example.com, I set it to forward to
friend-secret@isp.example.com or friend+secret@isp.example.com (depending
on the MTA involved), or maybe some third account which is aliased to
him. He then whitelists that specific envelope recipient, and his ISP
will disregard the SPF mismatch when mail arrives for it.

Yes, someone could mail that and spam him, but that's why it's called a
secret. It would have to be leaked by me or by him first. I suppose it
could show up in the mail headers, and someone could see it if he ever
showed someone a complete raw message.

I realize this means changing the mail software at the recipient, but
you're having to do that anyway to add SPF. Nothing changes on the
forwarding/sending hosts, which means you don't need any rewriting hacks,
and they don't need any new software.

I welcome comments. Feel free to rip this apart if you spot a hole.

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal