I agree Mark. I'm no email expert but I would put this up there with reverse DNS. Without it you can have pretty big problems with the major mail providers.
Yahoo, Hotmail, and AOL already have pretty strict policies regarding reverse DNS. Your email could be thrown into the bulk folder, blacklisted (just went through this with AOL for another biz), or returned undeliverable. As you say, if they do the same with SPF, folks will have jump on board. On 7/2/06, Mark A Kruger <[EMAIL PROTECTED]> wrote: > > Russ, > > I would echo that. We have 2 mail servers - one that handles actual > mailboxes and one used for relay only that is only accessible "inside" our > network (so the web servers can use it). SPF or the SPID are going to end > up being the only things that "really" stop this sort of thing. When big > mail providers like Yahoo and Hotmail start failing to deliver mail due to > SPF or SPID then everyone will have to get on board. Compliance "critical > mass" is what will eventually solve this problem - then we can move on to > all the others (ha). > > -mark > > -----Original Message----- > From: Snake [mailto:[EMAIL PROTECTED] > Sent: Sunday, July 02, 2006 5:24 AM > To: CF-Talk > Subject: RE: How do "Phishermen" send an email from a legitimate domain? > > Unfortunately that causes other problems. > > Customer has mydomain.com with several other domains aliased to it, not to > mention email aliases. > Enforcing that only the login mailbox name can be used as the > from address, > which causes more complaints from customers who want to use their aliases. > This is also not a good solution for sending mail from web sites. > If you force customers to send mail form their web site through their own > mailbox, then you are putting a huge amount of extra load on your client > pop/smtp server and slows mail down, especially when they do huge mail > shots. > We have a dedicated SMTP server which is used ONLY by the web servers for > relaying mail. It allow sonly our web servers to relay through it and is > thus open to them. > Often when customers send email form web sites they send from an address > such as INFO or SALES which is usually a MRA/List/forwarder, so the > "SENDER > must match the authenticated mailbox name" wont work here either. > > Of course this would only stop your customers doing naughty things anyway, > it doesn't stop anyone else doing it to you or your email address. And > invariably the spammers and phishers will have their own mail server > anyway, > so can do whatever they want. > All you need is an ADSL line and an SMTP server. > > Snake > > -----Original Message----- > From: John C. Bland II [mailto:[EMAIL PROTECTED] > Sent: 02 July 2006 07:35 > To: CF-Talk > Subject: Re: How do "Phishermen" send an email from a legitimate domain? > > The easy way is to enforce no relays or similar. We require authentication > so you can't send an email from a bum address and you can't send without a > password (even from web sites) OR being on our server during send. SPF is > a > great thing to have as well but you should enforce as much security as > possible. > > On 7/1/06, Snake <[EMAIL PROTECTED]> wrote: > > > > You could employ SPF on your domain, so any ISP that enforces SFP > > checking will then make sure that emails from your domain came form > > allowed IP address. So any mail sent by spammers and phishers will not > > get > through. > > > > Snake > > > > > > -----Original Message----- > > From: Rick Faircloth [mailto:[EMAIL PROTECTED] > > Sent: 01 July 2006 17:34 > > To: CF-Talk > > Subject: RE: How do "Phishermen" send an email from a legitimate domain? > > > > So, I guess, in the end, there is no way to prevent email from being > > sent from my own domain... > > > > > > > > -----Original Message----- > > From: Snake [mailto:[EMAIL PROTECTED] > > Sent: Saturday, July 01, 2006 12:13 PM > > To: CF-Talk > > Subject: RE: How do "Phishermen" send an email from a legitimate domain? > > > > Open outlook, goto tools -> email accounts Select one of your email > > accounts to edit. > > Change the from address to [EMAIL PROTECTED] > > > > Or create a CFM page to send an email. > > Set the from address as "[EMAIL PROTECTED]" > > > > There you go. > > > > The from address you send an email from can be anything you like, this > > has nothing to do with the mail server, which only validates the > > acocunt you are logging into to send the email. > > > > Snake > > > > > > -----Original Message----- > > From: Rick Faircloth [mailto:[EMAIL PROTECTED] > > Sent: 01 July 2006 16:18 > > To: CF-Talk > > Subject: OT: How do "Phishermen" send an email from a legitimate domain? > > > > Good morning, all. > > > > I, like many others, get phishing emails frequently, and can catch the > > spoof simply by looking at the hyperlinks of addresses.such as > > [EMAIL PROTECTED], which going to [EMAIL PROTECTED], > > but my question is: > > > > How can a phishing email be sent from [EMAIL PROTECTED] ? How can > > the PayPal.com domain be used if their email servers are set up > correctly? > > > > I ask because I get phishing email sent to me using my own domain > > frequently, but I assume I haven't got everything set up perfectly, > > nor do I know how. > > It's > > not too bad to live with at this point. I just wonder how that can do > > that with PayPal's domain, as well. > > > > Rick > > > > > > > > > > > > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:245261 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
