Mailinglist Archive: opensuse-security (297 mails)

< Previous Next >
Re: [suse-security] Email Spoofing
  • From: Arjen de Korte <suse+security@xxxxxxxxxxxx>
  • Date: Thu, 22 Jul 2004 09:41:55 +0200
  • Message-id: <200407220941.55869.suse+security@xxxxxxxxxxxx>
On Wednesday 21 July 2004 22:40, suse@xxxxxx wrote:

> Please explain the difference between the "all" record and not publishing
> SPF records period? If everyone sticks "all" in their SPF records, we have
> precisely the same situation we do now.

In a few years time, the '?all' will become obsolete and '-all' will be all
that you want at the end of your SPF record. Or risk that people will forge
mail from your domain.

> Basically, SPF is just a "feel good" lark.

I diagree. It's a reasonable way to deal with the ever increasing number of
forgeries, either from spammers or virusses. It has it's drawbacks, but these
can be relatively solved without having to redesign the e-mail system that is
in use today. If we don't start doing something now, the present e-mail
system will collapse. SPF is one of the ways to deal with that and although
not perfect, will provide the least impact to end users when both ISPs and
hosting companies implement it. Other schemes like Domain Keys will give even
better protection, but will likely not be adopted on a large scale, since it
requires to many changes for the end users. The 'beauty' of SPF is that it
can be implemented by the people who supposedly know what they are doing
(ISP's and hosting companies).

> In order to prevent it from breaking current e-mail, you have to break SPF.

Publishing '?all' at the end of your SPF record doesn't break it. If you
designate legitimate senders, they will pass however.

> Then the SPF people say "Wowie! Look at all the people using SPF!" except
> that the biggest and probably most of the others use the "all" tag that says
> "everyone is considered trusted!"

I suggest you first read up on SPF before you're making a fool of yourself
more than you already did. Only when receiving a SPF 'pass', e-mail is
considered legitimate, SPF 'softfail' and 'neutral' will still be accepted,
but is not considered to be legitimate. Only in case of SPF 'fail' a message
should be bounced.

> What's the point in publishing SPF if you publish that the entire internet
> is considered trusted for your domain?

SPF 'neutral' is NOT considered trusted. And by the time that most hosting
providers will have switched to remailing instead of forwarding (I know, this
will take time) 'neutral' and 'softfail' will be almost equivalent to 'fail'
for Bayesian filters, as spammers and virusses will only be able to get
through by using domains which default to 'neutral' or 'softfail'.

> Oh, and I'm not "picturing" it. It actually happened to me. I was a big
> proponent of the idea of SPF until my customers started complaining.

You must have published a '-all' at the end of your SPF record and failed to
oversee the consequenses of doing this.


< Previous Next >
Follow Ups