[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

TECH-OMISSION: billing.victim.com is possible



Since Sender-ID is defined to be using the domain (RHS) of the email
address, all a spammer/phisher needs to do is fake their email to come
from "billing.victim.com" or some other undefined host.  Then, no
Sender-ID record will be defined.  No Sender-ID record is possibly
preferrable to a spammer/phisher to an SPF failure for "victim.com" or
an SPF pass for one of their own domains.

It may be sufficient to state that an implementation MAY fail or
softfail in check_host() domain if no SPF2, MX, or A record exists.

I don't think wildcards are a full solution, but they can be used as a
flawed workaround in some situations for this issue.  This is a plus in
the column for wildcards, I think (section 2.1.7 in -protocol).

-- 
Daniel Quinlan
http://www.pathname.com/~quinlan/