Date: Wed, 8 Sep 2004 20:15:01 +0100 (BST) From: Chris Edwards <C.Edwards@compserv.gla.ac.uk> Subject: Re: Spammers Skirt IP Authentication Attempts
| SPF verification query gets returns one of three kinds of result: | 1) MISMATCH on point-of-origin vs domain 'authorized' senders. *VERY* | probably spam.
Either spam, or almost any item of forwarded mail :-(
Beg to differ. Forwarded mail almost always shows an 'envelope from' of the _forwarding_ party. Case in point: all email, sent to nanog is 'forwarded' to me, and the other readers of the list. It has an "inside address" (per the 'From:' header) of whomever authored the message. *BUT*, the 'envelope from', in the SMTP transaction is completely different: <owner-nanog@merit.edu> A _successful_ SPF check on 'merit.edu' would, hopefully include 198.108.1.26 (trapdoor.merit.edu) in the list of 'official outgoing mail sources. Ignoring for the moment the fact that Merit hasn't added SPF records to DNS yet. :) Same thing applies for 'simple' forwarding via sendmails '~/.forward' mechanism. the mail server 'accepts' the mail from the original source, and then 're-sends' to the new destination. That re-send originates as the _forwarding_party_, WITH an 'envelope from' of that forwarding party, even though the internal content ofthe message may show a _different_, and unrelated, "From" address. An SPF check of the _immediate_ sender does *NOT* break forwarded mail. Unless the forwarding process is _totally_ borken, that is. <grin>
On 2004-09-08T15:15-0500, Robert Bonomi wrote: ) Same thing applies for 'simple' forwarding via sendmails '~/.forward' ) mechanism. the mail server 'accepts' the mail from the original source, ) and then 're-sends' to the new destination. That re-send originates as ) the _forwarding_party_, WITH an 'envelope from' of that forwarding party, ) even though the internal content ofthe message may show a _different_, ) and unrelated, "From" address. My experience with Sendmail has been that the envelope sender is retained through /etc/aliases or ~/.forward. I can confirm that qmail's .qmail definitely retains the envelope sender of the original message. MAIL From:<user@example.com> RCPT To:<aliasuser@example.net> Received: from outgoing.example.com by mail.example.net Received-SPF: pass: outgoing.example.com allowed for example.com MAIL From:<user@example.com> RCPT To:<realaddress@example.org> Received: from mail.example.net by incoming.example.org Received-SPF: fail: mail.example.net NOT allowed for example.com Mailing lists get away with changing the envelope sender because the original sender does not actually expect to receive DSNs for the message for individual subscribers. Forwarding sites, on the other hand, can not simply modify the envelope sender; DSNs *are* expected to track back to the originating sender through a simple forward. One proposal is to allow forwarding sites to modify the envelope sender in such a way as to encode the original envelope sender in the LHS of an @forwarding.site address. For example: MAIL From:<bounce-user=example.com@example.net> RCPT To:<realaddress@example.org> Received: from mail.example.net by incoming.example.org Received-SPF: fail: mail.example.net allowed for example.net A naive scheme would allow for open relaying, however. A widely-deployed naive scheme could be used by spammers to send mail to arbitrary addresses: for i in $list; do mail bounce-$(echo $i | sed s/@/=/)@example.net < myspam done At least one anti-spam group has claimed they will list mail servers from forwarding sites that use such an easily-exploited scheme. :( -- Daniel Reed <n@ml.org> http://people.redhat.com/djr/ http://naim.n.ml.org/ 1832 Savior214: that sucks that one day your just gonna die and all that work you did learning stuff just gets a rm -rf
On Wed, Sep 08, 2004 at 03:15:14PM -0500, Robert Bonomi <bonomi@mail.r-bonomi.com> wrote a message of 37 lines which said:
Same thing applies for 'simple' forwarding via sendmails '~/.forward' mechanism. the mail server 'accepts' the mail from the original source, and then 're-sends' to the new destination. That re-send originates as the _forwarding_party_, WITH an 'envelope from' of that forwarding party,
Sorry, this is simply not true (sendmail, postfix, etc, always keep the original envelope from when forwarding).
An SPF check of the _immediate_ sender does *NOT* break forwarded mail.
Even SPF people say it: http://spf.pobox.com/faq.html#forwarding
Robert Bonomi <bonomi@mail.r-bonomi.com> wrote
Same thing applies for 'simple' forwarding via sendmails '~/.forward' mechanism. the mail server 'accepts' the mail from the original source, and then 're-sends' to the new destination. That re-send originates as the _forwarding_party_, WITH an 'envelope from' of that forwarding party,
On Fri, Sep 10, 2004 at 09:55:55AM +0200, Stephane Bortzmeyer wrote:
Sorry, this is simply not true (sendmail, postfix, etc, always keep the original envelope from when forwarding).
I'm not sure where "true" diverges from reality in your analysis, but perhaps you should create one of those mail environments and test before you put your foot in your mouth again? -- Joe Rhett Senior Geek Meer.net
On Fri, Sep 10, 2004 at 01:57:51AM -0700, Joe Rhett <jrhett@meer.net> wrote a message of 19 lines which said:
I'm not sure where "true" diverges from reality in your analysis, but perhaps you should create one of those mail environments and test before you put your foot in your mouth again?
Good idea, I plan to install a Fedora this week-end and to learn a bit about Postfix. Your wide experience will certainly help. If you think that sendmail or postfix modify the "enveloppe from" when forwarding, I suggest that you send your big discovery to the IETF MARID working group, where it may change a lot of things in the current discussion about Sender-ID :-)
participants (4)
-
Daniel Reed
-
Joe Rhett
-
Robert Bonomi
-
Stephane Bortzmeyer