On Fri, 14 Oct 2016 21:24:08 +0200 Petr Bena <petr@bena.rocks> wrote:
> That is probably true, but it doesn't change the fact that SPF specs > as they are make SPF completely useless. It also doesn't change the fact that running SPF on the From: header domain is completely wrong and will break all kinds of things. > Is there any way to get spam assassin to actually figure out that > e-mail is spoofed even if it's obviously easy to figure out? No. Because there is no definitive way to determine if an email is "spoofed". Tell me, is this email spoofed? The header from <d...@roaringpenguin.com> clearly fails SPF, and the envelope sender is likely to be something in the "spamassassin.apache.org" domain. This is obviously spoofed. By any sensible measure, all of this list traffic is spoofed. > Isn't this like completely flawed design? SMTP provides no authentication. So when nothing can be authenticated, there's no such thing as "spoofing". Arguably, it's a flawed design, but inarguably it's much to late to replace SMTP. DKIM is about the best we have, but even that doesn't pretend to prevent spoofing. All it does is assert that a specific email passed through and was signed by a server that knows the private key corresponding to a certain public key. Regards, Dianne. P.S. The situation is not all bleak, of course. Knowledge of your own domain can let you make rules that do help to stop spear-phishing attacks, but these are domain-specific and not generally applicable.