On Tue, Mar 09, 2004 at 11:14:39AM -0500, Nick Fisher wrote: > > In the headers of your message: > > From [EMAIL PROTECTED] > > Received: from mail.apache.org (daedalus.apache.org [208.185.179.12]) > > [snip] > > > The problem with that is that it takes no account of forwarding. > > Domain A, B and C. > > If I send a mail from domain A to domain B, that is then forwarded to domain > C it will appear to be spoofed as domain B is not in domain A's SPF records.
It does not *appear* to be spoofed, it *is* spoofed. Yes, SPF stops that. You were already pointed at the difference between "From " (note the space) and "From:". As you can see, SPF works perfectly for the spamassassin mailing list. Now consider a "mailing list" with just one subscriber. domain A: home of the author of a message domain B: hosting said "list" domain C: home of the sole subscriber to that list [EMAIL PROTECTED] sends a message to [EMAIL PROTECTED] [EMAIL PROTECTED] setup forwarding. All domainB has to do when it transfers the message to domainC is: 1: make sure the envelope sender address is at domainB, not domainA 2: there is no #2. No SRS is needed. No other special tricks are needed. SPF does not break forwarding. SPF breaks spoofing; and does not care if spoofing is done by someone with good intentions or someone with bad intentions. SRS is just a smart way _for_domainB_ to generate a *local* address that has the address of [EMAIL PROTECTED] encoded in it. DomainB could keep a database instead. But what about bounces? Well, if [EMAIL PROTECTED] screws up, [EMAIL PROTECTED] will have to educate userB. If domainC screws up, that's between domains B and C. DomainA succesfully delivered the message to its destination. cheers, Alex -- begin sig http://www.googlism.com/index.htm?ism=alex+van+den+bogaerdt&type=1 This message was produced without any <iframe tags
