[OT] SPF - was Re: Simple Python script as SMTP server for outgoing e-mails?
Michael Torrie
torriem at gmail.com
Tue Jul 23 11:12:47 EDT 2013
On 07/23/2013 03:30 AM, Chris Angelico wrote:
> On Tue, Jul 23, 2013 at 7:19 PM, Chris Angelico <rosuav at gmail.com> wrote:
>> Ah, there's a solution to this one. You simply use your own
>> envelope-from address; SPF shouldn't be being checked for the From:
>> header.
>
> There's an example, by the way, of this exact technique right here -
> python-list at python.org sends mail to me with an envelope-from of
> "python-list-bounces+rosuav=gmail.com at python.org" - which passes SPF,
> since python.org has a TXT record designating the sending IP as one of
> theirs. It doesn't matter that invalid.invalid (your supposed domain)
> doesn't have an SPF record, nor would it be a problem if it had one
> that said "v=spf1 -all", because that domain wasn't checked. Mailing
> lists are doing the same sort of forwarding that you're doing.
This is good and all, and I think I will modify my local postfix mail
server I use for personal stuff, just for correctness' sake.
I hadn't spent much time studying SPF in depth before, but after reading
your comments (which were insightful) I'm now more convinced that SPF is
worthless than ever, at least as a spam prevention mechanism. Spammers
can use throwaway domains that publish very non-strict SPF records, and
spam to their hearts content with random forged from addresses and SPF
checks pass. The only way around that is to enforce SPF on the From:
header in the e-mail itself, which we all agree is broken. I've been
reading this:
http://www.openspf.org/FAQ/SPF_is_not_about_spam
Not very encouraging. When the other expensive options for going after
spammers who have valid SPF records, they propose domain blacklists as a
solution.
More information about the Python-list
mailing list