Hi > I guess you have only one (or maybe 2 or 3) mail server which > your customers can use to relay mails trough SMTP Auth. Now you > have in every domain you are hosting set up the SPF entry for the > IP of your mailserver. How do you proctect customer A to use > customer B's domain for sending emails?
This is a problem inherent to SPF. I agree that this form of abuse is possible. Also in the swinog.ch/ADSL-scenario you described all customers of the ADSL access provider would be able to send mails using our customer's domain. However, we would at least be able to identify the victim in our log files. Or if it is another Swiss ISP we could ask them to provide us with that information. Consider if you had to ask a foreign (chinese? taiwanese? brazilian?) ISP for this kind of information. "Our Mailserver + Random Swiss ISP Mailserver" is still significantly less than "the whole internet". And as the SPF FAQ mentions, the only real form of identity verification is something like PGP. Domain protection with SPF was merely an idea of how to make customers interested in this technology. http://spf.pobox.com/faq.html#whichfield > Are you still sure, that SPF will protect the customers domain > from being abused as sender address? In many cases it will. Consider virii sending mails with forged domain names. -- Kind Regards Daniel Lorch Still Not Giving Up Hostpoint GmbH � � � �| The Data Residence � �| Z�rcherstrasse 2 � � �| 8640 Rapperswil � � � | Schweiz Tel �+41 55 220 0404 �| Fax �+41 55 220 0409 �| www.hostpoint.ch _______________________________________________ swinog mailing list [EMAIL PROTECTED] http://lists.init7.net/cgi-bin/mailman/listinfo/swinog
