I can't seem to dig an SPF records for Paypal - so I don't think they are implementing SPF. It seems like a no brainer. You can implement SPF for your domain by simply adding some records to your DNS server. You don't even need to enforce SPF on your mail server - and you would be protecting your domain from phishing - at least phishing that sends to all the SPF aware mail servers out there. I would think that every financial institution would want to do this.
-----Original Message----- From: Snake [mailto:[EMAIL PROTECTED] Sent: Sunday, July 02, 2006 6:29 AM To: CF-Talk Subject: RE: OT: How do "Phishermen" send an email from a legitimate domain? Paypal may well have it setup. But if the ISP's receiving the emails do not check the SPF record, then it is useless. And this Is the problem, because not everyone uses SPF yet. If as an ISP I required that all domains had a SPF record before I would accept any email from any domain, there would be a lot of email being rejected. So it's a toss up between blocking ALL spam and losing a lot of legitimate email, or just letting everything through. Snake -----Original Message----- From: Rick Faircloth [mailto:[EMAIL PROTECTED] Sent: 02 July 2006 12:15 To: CF-Talk Subject: RE: OT: How do "Phishermen" send an email from a legitimate domain? I can partially understand why *I* don't use SPF...actually I do, but it's obviously not set up perfectly...what I don't understand is why PayPal wouldn't have it set up and *perfectly* with the resources they have. Would this solve their problem of spoofing? Rick -----Original Message----- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Saturday, July 01, 2006 10:50 PM To: CF-Talk Subject: Re: OT: How do "Phishermen" send an email from a legitimate domain? Well, if everyone used SPF records (http://new.openspf.org/Introduction), the whole situation might be better, but they don't. On 7/1/06, Rick Faircloth <[EMAIL PROTECTED]> wrote: > That's pretty amazing that it can be done. I never realized that. > Does dealing with (stopping) this sort of thing depend on the IP > rather than the domain name? And can't the domain name simply be > related to an IP? > > I *assume* that if PayPal can't stop it, I can't either and will just > have to live with it. > > Rick > > > -----Original Message----- > From: James Holmes [mailto:[EMAIL PROTECTED] > Sent: Saturday, July 01, 2006 11:30 AM > To: CF-Talk > Subject: Re: OT: How do "Phishermen" send an email from a legitimate domain? > > That should be "enforce" of course > > On 7/1/06, James Holmes <[EMAIL PROTECTED]> wrote: > > Mail servers don't *enfore* the from address. -- CFAJAX docs and other useful articles: http://jr-holmes.coldfusionjournal.com/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:245255 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
