On Fri, 14 Oct 2016 21:24:08 +0200
Petr Bena <email@example.com> wrote:
> That is probably true, but it doesn't change the fact that SPF specs
> as they are make SPF completely useless.
It also doesn't change the fact that running SPF on the From: header
domain is completely wrong and will break all kinds of things.
> Is there any way to get spam assassin to actually figure out that
> e-mail is spoofed even if it's obviously easy to figure out?
No. Because there is no definitive way to determine if an email is
"spoofed". Tell me, is this email spoofed? The header from
<d...@roaringpenguin.com> clearly fails SPF, and the envelope sender is
likely to be something in the "spamassassin.apache.org" domain. This is
By any sensible measure, all of this list traffic is spoofed.
> Isn't this like completely flawed design?
SMTP provides no authentication. So when nothing can be
authenticated, there's no such thing as "spoofing". Arguably, it's a
flawed design, but inarguably it's much to late to replace SMTP.
DKIM is about the best we have, but even that doesn't pretend to
prevent spoofing. All it does is assert that a specific email passed
through and was signed by a server that knows the private key
corresponding to a certain public key.
P.S. The situation is not all bleak, of course. Knowledge of your own domain
can let you make rules that do help to stop spear-phishing attacks, but
these are domain-specific and not generally applicable.