[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TECH-OMISSION: billing.victim.com is possible

To: Daniel Quinlan <quinlan@xxxxxxxxxxxx>
Subject: Re: TECH-OMISSION: billing.victim.com is possible
From: Stephane Bortzmeyer <bortzmeyer@xxxxxx>
Date: Tue, 24 Aug 2004 08:38:26 +0200
Cc: IETF MARID WG <ietf-mxcomp@xxxxxxx>
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-mxcomp/mail-archive/>
List-id: <ietf-mxcomp.imc.org>
List-unsubscribe: <mailto:ietf-mxcomp-request@imc.org?body=unsubscribe>
Organization: NIC France
References: <>
Sender: owner-ietf-mxcomp@xxxxxxxxxxxx
User-agent: Mutt/1.5.6+20040523i

On Mon, Aug 23, 2004 at 04:35:20PM -0700,
 Daniel Quinlan <quinlan@xxxxxxxxxxxx> wrote 
 a message of 18 lines which said:

> all a spammer/phisher needs to do is fake their email to come from
> "billing.victim.com" or some other undefined host.
...  
> It may be sufficient to state that an implementation MAY fail or
> softfail in check_host() domain if no SPF2, MX, or A record exists.

IMHO, every sensibly managed MTA already refuses email from unexisting
addresses (smtpd_sender_restrictions = reject_unknown_sender_domain in
Postfix), so I do not see this as an issue. 

The lack of a MX or an A or an AAAA (meaning the message is
unreplyable) is a separate error (which is already addressed by
implementations).

[It has already been discussed on the spf-discuss list.]

The only thing to change should be to ask the MTA authors to allow the
testing of "unknown_sender_domain" to be performed on every address
used by the PRA algorithm.

References:
- TECH-OMISSION: billing.victim.com is possible
  - From: Daniel Quinlan

Prev by Date: Re: TECH-ERROR: DNS Record Types
Next by Date: Re: TECH-ERROR: PTR should not be recommended against in -protocol
Previous by thread: TECH-OMISSION: billing.victim.com is possible
Next by thread: DOC-BUG: an example for "neutral" would be good in -protocol
Index(es):
- Date
- Thread