Chris Santerre wrote:
-----Original Message-----
From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 09, 2005 11:04 AM
To: Chris Santerre
Cc: 'Robert Menschel'; users@spamassassin.apache.org
Subject: Re: Whitelist collection project

How do you propose that whitelist_from_rcvd or whitelist_from_spf be abused, other than due to a mis configured or compromised server?

Daryl


First I propose I don't answer anymore email until I get off this cold
medication :)

Have some nachos with some Buckley's, you'll be all set.


Second, I believe SPF records can be spoofed/use in a disposibal manner. But
thats my medicated brain half telling me I might remember reading something
about that.

You can create a record that says your domain can send mail from someone elses servers, but you'd have to control someone elses DNS to say that you can send mail from them via your servers. So in the case of whitelist_from_spf it's not an issue.



As for rcvd, I'm not sure how secure that is to faked headers. But you can
bet they are going to try to abuse it anyway they can.

Only the received header generated at the point mail is passed from the sender's network to the recipient's network is used when checking for a whitelist_from_rcvd match, so this too isn't an issue. It's just more work to maintain than whitelist from SPF.



If you can get code to deal with those issues, then hell yeah!
>
I also like Theos idea of using it for the 'skipped' domains.

Sounds good to me too.


Daryl



Reply via email to