nanog mailing list archives
Re: Spammers Skirt IP Authentication Attempts
From: Robert Bonomi <bonomi () mail r-bonomi com>
Date: Wed, 8 Sep 2004 15:15:14 -0500 (CDT)
Date: Wed, 8 Sep 2004 20:15:01 +0100 (BST) From: Chris Edwards <C.Edwards () compserv gla ac uk> Subject: Re: Spammers Skirt IP Authentication Attempts | SPF verification query gets returns one of three kinds of result: | 1) MISMATCH on point-of-origin vs domain 'authorized' senders. *VERY* | probably spam. Either spam, or almost any item of forwarded mail :-(
Beg to differ. Forwarded mail almost always shows an 'envelope from' of the _forwarding_ party. Case in point: all email, sent to nanog is 'forwarded' to me, and the other readers of the list. It has an "inside address" (per the 'From:' header) of whomever authored the message. *BUT*, the 'envelope from', in the SMTP transaction is completely different: <owner-nanog () merit edu> A _successful_ SPF check on 'merit.edu' would, hopefully include 198.108.1.26 (trapdoor.merit.edu) in the list of 'official outgoing mail sources. Ignoring for the moment the fact that Merit hasn't added SPF records to DNS yet. :) Same thing applies for 'simple' forwarding via sendmails '~/.forward' mechanism. the mail server 'accepts' the mail from the original source, and then 're-sends' to the new destination. That re-send originates as the _forwarding_party_, WITH an 'envelope from' of that forwarding party, even though the internal content ofthe message may show a _different_, and unrelated, "From" address. An SPF check of the _immediate_ sender does *NOT* break forwarded mail. Unless the forwarding process is _totally_ borken, that is. <grin>
Current thread:
- Re: Spammers Skirt IP Authentication Attempts, (continued)
- Re: Spammers Skirt IP Authentication Attempts Richard Cox (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Suresh Ramasubramanian (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Paul Vixie (Sep 08)
- Very peculiar Telnet probing (possibly spoofed?) Jeff Kell (Sep 08)
- Re: Very peculiar Telnet probing (possibly spoofed?) Suresh Ramasubramanian (Sep 08)
- Re: Very peculiar Telnet probing (possibly spoofed?) Chris Brenton (Sep 09)
- Re: Spammers Skirt IP Authentication Attempts [operational content at end] Rich Kulawiec (Sep 09)
- Re: Spammers Skirt IP Authentication Attempts Daniel Reed (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Stephane Bortzmeyer (Sep 10)
- Re: Spammers Skirt IP Authentication Attempts Joe Rhett (Sep 10)
- Re: Spammers Skirt IP Authentication Attempts Stephane Bortzmeyer (Sep 10)