Dnia 22.11.2019 o godz. 07:24:03 Richard Damon pisze: > > Base SPF works through a traditional forwarder, because the base rules > for SPF allow the message to pass based on the domain of the Sender: > header, not just the From:. A proper forwarder will add a Sender: header > for itself, to indicate that while it was not the originator of the > message, it was the last one to send it.
AFAIK no mainstream MTA adds the "Sender:" header when forwarding mail, either via .forward file, via /etc/aliases, virtual users table of any other means. Postfix doesn't do it as well. You need probably to forward via some specially crafted script to achieve this. > SPF works just fine as designed, because it was designed as a HELPER for > receivers, not intending to be an all encompassing solution. If I, the > receiver of the message see that the message passed SPF, AND I trust the > domain that sent the message, then I can be fairly sure that the message > is legitimate. So I guess SPF should be used in such a way that it adds the message a "positive" score (ie. non-spam - in most spam filtering software it's actually a negative number :)) if SPF passes, and if it fails, it's simply ignored and other criteria are used to determine if the message is spam or non-spam? Yes, I would agree with such use of SPF. But in reality it is much often used in exactly opposite way, ie. the message gets some spam score if SPF fails, but if it passes, it's usually just zero. > SPF is designed to help with 'white-listing'. But it's now used mostly for blacklisting, ie. if you fail SPF check, you are a suspected spammer. At least that's what Google and Microsoft do (and probably a couple of other big email providers as well). > the reason that Yahoo at least adopted it was that they had so many > security breaches that leaked out their users address books, that a very > real problem was yahoo members getting emails claiming to be from > friends that were actually attack vectors, that they couldn't keep up > with other measures to try and block it. Yes, that is true. On a mail server which I administered a few years ago, we had so many spam and phishing messages coming apparently from Yahoo domain that I had to take extreme measures and reject mail from that domain altogether. However, in the rejection message I put a link to a web page where one could whitelist him/herself by submitting their e-mail address via the page. A legitimate sender would - hopefully - do it and thus be able to re-send the message. The spammer usually won't, as they don't read rejection messages, and even if they did, they won't have time to deal with this procedure. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
