[DShield] SPF is fundamentally flawed

Brian Dessent brian at dessent.net
Tue Feb 17 20:08:57 GMT 2004


Erik van Straten wrote:

> (3) The only thing SPF verifies is the *domain* part of the Return-Path:
> the user/account name is completely ignored, and can still be spoofed.
> 
> This means that, even with SPF enabled, spam and viruses can still be
> sent as follows:
> ---------------------------------------------------------------
> Return-Path: <AnyThingWillDo at aol.com>

Why do you say that?  Unless the spammer is injecting the mail from a
machine in AOL's datacenter, then your system will look up the TXT
record for aol.com in the above scenario and see that this machine is
not allowed to send for AOL and deny with a 5xx.

Now, the spammer could pick a domain that -doesn't- publish SPF records
for the envelope-from, and the mail would get through, yes.  And I admit
that I also have lots of issues with SPF, among which is this very fact
that for it to be widely effective it needs to be widely deployed.  But
you aren't helping your case against it by picking such a flawed
example.

Brian




More information about the list mailing list