[LINK] Question re spoofing with bad reply address
Hamish Moffatt
hamish at cloud.net.au
Wed Jul 9 17:55:27 AEST 2014
On 09/07/14 17:35, Stephen Rothwell wrote:
> Hi Hamish,
>
> On Wed, 09 Jul 2014 17:27:08 +1000 Hamish Moffatt <hamish at cloud.net.au> wrote:
>> Consider implementing SPF to prevent this.
>> http://en.wikipedia.org/wiki/Sender_Policy_Framework
>>
>> In summary, through the DNS you publish a list of all servers authorised
>> to send mail from your domain, and how strict you want recipients to be.
>> An SPF-aware receiving host will check the DNS when it receives mail,
>> and reject any received from unlisted servers. This prevents your email
>> address being forged.
> SPF is broken by design (consider forwarding - including mailing
> lists). Unfortunately, some of the bigger players are now using it to
> make decisions :-(
http://www.openspf.org/FAQ/Forwarding - ie it's not difficult to deal
with by changing the envelope sender address at the forwarder/mailing
list. Note that that's not the visible From: header. And that doesn't
seem too unreasonable to me, else the forwarder is effectively forging
my address.
What else?
> It also doesn't help for those with email addresses in domains that
> other people using the same domain post from lots of different places.
> (e.g. other members of my family use various ISP's outgoing mail
> servers)
>
Yes, that's true. It might not suit all domains, and users might need to
adapt. Any reason why your other family members couldn't use an
authorised sender instead though?
Email security is pretty poor, can we expect to fix it without the users
changing their configurations at all?
Hamish
More information about the Link
mailing list