[OT] SPF - was Re: Simple Python script as SMTP server for outgoing e-mails?

Michael Torrie torriem at gmail.com
Tue Jul 23 17:12:47 CEST 2013


On 07/23/2013 03:30 AM, Chris Angelico wrote:
> On Tue, Jul 23, 2013 at 7:19 PM, Chris Angelico <rosuav at gmail.com> wrote:
>> Ah, there's a solution to this one. You simply use your own
>> envelope-from address; SPF shouldn't be being checked for the From:
>> header.
> 
> There's an example, by the way, of this exact technique right here -
> python-list at python.org sends mail to me with an envelope-from of
> "python-list-bounces+rosuav=gmail.com at python.org" - which passes SPF,
> since python.org has a TXT record designating the sending IP as one of
> theirs. It doesn't matter that invalid.invalid (your supposed domain)
> doesn't have an SPF record, nor would it be a problem if it had one
> that said "v=spf1 -all", because that domain wasn't checked. Mailing
> lists are doing the same sort of forwarding that you're doing.

This is good and all, and I think I will modify my local postfix mail
server I use for personal stuff, just for correctness' sake.

I hadn't spent much time studying SPF in depth before, but after reading
your comments (which were insightful) I'm now more convinced that SPF is
worthless than ever, at least as a spam prevention mechanism.  Spammers
can use throwaway domains that publish very non-strict SPF records, and
spam to their hearts content with random forged from addresses and SPF
checks pass.  The only way around that is to enforce SPF on the From:
header in the e-mail itself, which we all agree is broken.  I've been
reading this:

http://www.openspf.org/FAQ/SPF_is_not_about_spam

Not very encouraging.  When the other expensive options for going after
spammers who have valid SPF records, they propose domain blacklists as a
solution.




More information about the Python-list mailing list