Paul, I really don't see where your argument is headed. Without SPF, the
whole world can spoof your domain and get away with it. With a proper SPF
policy which allows the hotmail servers to send on your behalf, you can
restrict possible spoofing to hotmail servers only, while the others'
attempts to spoof get junked (if the recipient is using SPF checking, that
is). Isn't this beneficial? You stand to gain and not lose by implementing
SPF, so what is the need to term SPF a curse?! Sheesh!
Regards,
Prashanth Chengi
National PARAM SuperComputing Facility
System Administration and Networking Group
C-DAC Pune
Ext-183
Mob: 09766044870
--
He who fights with monsters might take care,
lest he thereby become a monster.
-Friedrich Nietzsche
On Wed, 8 Jul 2009, Paul D.Smith wrote:
> Rob,
>
> Thanks for the response - very clear. A few comments in-line below marked
> [PDS].
>
> Paul DS.
>
>>> Next is the checking of the MAIL FROM. Now this does not indicate the
>>> Hotmail domain so the SPF look-up for the MAIL FROM domain does not return
>>> a
>>> valid Hotmail IP address and this would result in my mail being rejected.
>>
>> No, the Mail From is checked against the domain provided in the Mail
>> From. If you are sending from your own domain then it will be your
>> domain's SPF record that is checked.
>
> [PDS] Whoa, where does the value of the address in "MAIL FROM" come from
> then? As an example, most e-mail packages I've seen (I use Windows Live to
> type this) allow two fields to be specified, named "e-mail address" and
> "reply address" or similar. Normally I would set these to be the same but
> then that doesn't seem to make sense to me because MAIL FROM and "From
> header" would be the same and then I can't see how there is a problem?
>
>>> Now at this point, how could I ensure my mail gets through?
>>>
>>> 1. I could have an "allow all" SPF record for my domain - very bad, well in
>>> fact exactly as pre-SPF.
>>
>> Correct.
>>
>>> 2. I could add all the IP addresses for Hotmail to my SPF records for my
>>> real domain. But then anyone with a Hotmail account can spoof me sending
>>> from my domain - still not good and providing little protection for the
>>> recipient or for me as being anti-forged.
>>
>> Correct.
>>
>>> 3. I can similar to #2 except I put "hotmail.com" servers into the SPF
>>> records such that my domain opens up Hotmail.com senders but without the
>>> need for me to explicitly add IP addresses - still not good.
>>
>> Correct - and indeed it's identical to (2).
>>
>>> This is why I
>>> was giving the Y.com/X.com example - I would be allowing
>>> <anyone>@hotmail.com to send as my@mydomain.com whereas in fact I only want
>>> to allow me-hotmail@hotmail.com to be able to do this.
>>
>> No, you'll be allowing anybody who is allowed to send email through
>> Hotmail's servers to send email from your domain and pass the SPF
>> checks. Remember, that's the point of the SPF record, it identifies
>> which hosts are allowed to send email on behalf of a domain.
>
> [PDS] We may be saying the same thing here in two different ways. Are you
> saying that for example "noddy@hotmail.com" could send an e-mail which would
> reach you and look as if it were sent from mydomain.com? Or are you saying
> that somehow I have allowed the user whose address is noddy@hotmail.com to
> use mydomain.com's servers to send an e-mail that appears to have come from
> Hotmail servers?
>
>>
>>> At this point I can't do anything more because SPF is unable to get access
>>> to "me-hotmail@hotmail.com" and therefore cannot perform "true sender"
>>> checking (in fact this information is present in a Hotmail X-header - but
>>> let's not go there).
>>
>> Correct - however it is important to note that:
>>
>> a) SPF was never designed with this in mind - it is intended to
>> protect domains, not individual accounts
>> b) At no point is there any way for anything outside of Hotmail to
>> know anything about the Hotmail account that's linked to your own
>> domain
>>
>> Also, it's important to note that Hotmail uses Sender-ID, not SPF.
>> The 2 are similar, but not the same.
>>
>>> So, I seem to be able to only do the following...
>>>
>>> - Allow anyone to forge me
>>> - Allow nobody to forge me (where I might legitimately want to forge
>>> myself)
>>> - Allow anyone on an entire specified domain to forge me.
>>
>> Assuming you only use SPF, yes. However as stated in the SPF FAQ, it
>> isn't intended to be a complete solution to the problem of mail
>> forgery, it is intended to only protect one part of the problem.
>
> [PDS] The follownig may be wrong depending on answers to my comments above.
> OK, options 1 and 3 I understand but option 2 looks like a very small case.
> Who realisticly controls a second domain so tightly as to be happy to enable
> it to send on behalf of their first domain? Surely the second domain being
> "open" like Hotmail is a much more common occurence?
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org
> Modify Your Subscription: http://www.listbox.com/member/
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
whole world can spoof your domain and get away with it. With a proper SPF
policy which allows the hotmail servers to send on your behalf, you can
restrict possible spoofing to hotmail servers only, while the others'
attempts to spoof get junked (if the recipient is using SPF checking, that
is). Isn't this beneficial? You stand to gain and not lose by implementing
SPF, so what is the need to term SPF a curse?! Sheesh!
Regards,
Prashanth Chengi
National PARAM SuperComputing Facility
System Administration and Networking Group
C-DAC Pune
Ext-183
Mob: 09766044870
--
He who fights with monsters might take care,
lest he thereby become a monster.
-Friedrich Nietzsche
On Wed, 8 Jul 2009, Paul D.Smith wrote:
> Rob,
>
> Thanks for the response - very clear. A few comments in-line below marked
> [PDS].
>
> Paul DS.
>
>>> Next is the checking of the MAIL FROM. Now this does not indicate the
>>> Hotmail domain so the SPF look-up for the MAIL FROM domain does not return
>>> a
>>> valid Hotmail IP address and this would result in my mail being rejected.
>>
>> No, the Mail From is checked against the domain provided in the Mail
>> From. If you are sending from your own domain then it will be your
>> domain's SPF record that is checked.
>
> [PDS] Whoa, where does the value of the address in "MAIL FROM" come from
> then? As an example, most e-mail packages I've seen (I use Windows Live to
> type this) allow two fields to be specified, named "e-mail address" and
> "reply address" or similar. Normally I would set these to be the same but
> then that doesn't seem to make sense to me because MAIL FROM and "From
> header" would be the same and then I can't see how there is a problem?
>
>>> Now at this point, how could I ensure my mail gets through?
>>>
>>> 1. I could have an "allow all" SPF record for my domain - very bad, well in
>>> fact exactly as pre-SPF.
>>
>> Correct.
>>
>>> 2. I could add all the IP addresses for Hotmail to my SPF records for my
>>> real domain. But then anyone with a Hotmail account can spoof me sending
>>> from my domain - still not good and providing little protection for the
>>> recipient or for me as being anti-forged.
>>
>> Correct.
>>
>>> 3. I can similar to #2 except I put "hotmail.com" servers into the SPF
>>> records such that my domain opens up Hotmail.com senders but without the
>>> need for me to explicitly add IP addresses - still not good.
>>
>> Correct - and indeed it's identical to (2).
>>
>>> This is why I
>>> was giving the Y.com/X.com example - I would be allowing
>>> <anyone>@hotmail.com to send as my@mydomain.com whereas in fact I only want
>>> to allow me-hotmail@hotmail.com to be able to do this.
>>
>> No, you'll be allowing anybody who is allowed to send email through
>> Hotmail's servers to send email from your domain and pass the SPF
>> checks. Remember, that's the point of the SPF record, it identifies
>> which hosts are allowed to send email on behalf of a domain.
>
> [PDS] We may be saying the same thing here in two different ways. Are you
> saying that for example "noddy@hotmail.com" could send an e-mail which would
> reach you and look as if it were sent from mydomain.com? Or are you saying
> that somehow I have allowed the user whose address is noddy@hotmail.com to
> use mydomain.com's servers to send an e-mail that appears to have come from
> Hotmail servers?
>
>>
>>> At this point I can't do anything more because SPF is unable to get access
>>> to "me-hotmail@hotmail.com" and therefore cannot perform "true sender"
>>> checking (in fact this information is present in a Hotmail X-header - but
>>> let's not go there).
>>
>> Correct - however it is important to note that:
>>
>> a) SPF was never designed with this in mind - it is intended to
>> protect domains, not individual accounts
>> b) At no point is there any way for anything outside of Hotmail to
>> know anything about the Hotmail account that's linked to your own
>> domain
>>
>> Also, it's important to note that Hotmail uses Sender-ID, not SPF.
>> The 2 are similar, but not the same.
>>
>>> So, I seem to be able to only do the following...
>>>
>>> - Allow anyone to forge me
>>> - Allow nobody to forge me (where I might legitimately want to forge
>>> myself)
>>> - Allow anyone on an entire specified domain to forge me.
>>
>> Assuming you only use SPF, yes. However as stated in the SPF FAQ, it
>> isn't intended to be a complete solution to the problem of mail
>> forgery, it is intended to only protect one part of the problem.
>
> [PDS] The follownig may be wrong depending on answers to my comments above.
> OK, options 1 and 3 I understand but option 2 looks like a very small case.
> Who realisticly controls a second domain so tightly as to be happy to enable
> it to send on behalf of their first domain? Surely the second domain being
> "open" like Hotmail is a much more common occurence?
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org
> Modify Your Subscription: http://www.listbox.com/member/
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com