Path: csiph.com!usenet.pasdenom.info!weretis.net!feeder1.news.weretis.net!feeder.erje.net!eu.feeder.erje.net!xlned.com!feeder5.xlned.com!newsfeed.xs4all.nl!newsfeed1.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail
Return-Path: <torriem@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.012
X-Spam-Evidence: '*H*': 0.98; '*S*': 0.00; 'subject:Python': 0.06; 'modify': 0.07; 'postfix': 0.07; 'subject:script': 0.09; 'random': 0.14; '23,': 0.16; 'ah,': 0.16; 'blacklists': 0.16; 'broken.': 0.16; 'encouraging.': 0.16; 'from:addr:torriem': 0.16; 'from:name:michael torrie': 0.16; 'itself,': 0.16; 'mechanism.': 0.16; 'record,': 0.16; 'spammers': 0.16; 'stuff,': 0.16; 'subject: \n ': 0.16; 'subject:mails': 0.16; 'throwaway': 0.16; 'url:faq': 0.16; 'wrote:': 0.18; 'all,': 0.19; 'solution.': 0.20; 'subject:] ': 0.20; 'header:User-Agent:1': 0.23; 'passes': 0.24; 'propose': 0.24; 'sends': 0.24; "shouldn't": 0.24; 'header': 0.24; 'sort': 0.25; "i've": 0.25; 'options': 0.25; 'skip:" 40': 0.26; 'this:': 0.26; 'least': 0.26; 'header:In-Reply-To:1': 0.27; 'record': 0.27; 'chris': 0.29; 'am,': 0.29; "doesn't": 0.30; "i'm": 0.30; '(which': 0.31; 'comments': 0.31; 'depth': 0.31; 'enforce': 0.31; 'prevention': 0.31; 'txt': 0.31; 'lists': 0.32; 'checked': 0.32; 'python.org': 0.32; 'supposed': 0.32; 'addresses': 0.33; 'problem': 0.35; 'agree': 0.35; 'but': 0.35; 'subject:Simple': 0.36; 'doing': 0.36; 'subject:?': 0.36; 'url:org': 0.36; 'example,': 0.37; 'email addr:python.org': 0.37; 'being': 0.38; 'message-id:@gmail.com': 0.38; 'server': 0.38; 'checks': 0.38; 'to:addr:python-list': 0.38; 'pm,': 0.38; 'subject:[': 0.39; 'expensive': 0.39; 'to:addr:python.org': 0.39; 'mailing': 0.39; 'received:org': 0.40; 'matter': 0.61; 'simply': 0.61; "you're": 0.61; 'personal': 0.63; 'more': 0.64; 'email name:python-list': 0.65; 'here': 0.66; 'records,': 0.69; 'jul': 0.74; 'sake.': 0.84; 'studying': 0.84; 'theirs.': 0.84; 'worthless': 0.84; 'address;': 0.91; 'convinced': 0.93; 'technique': 0.93; '2013': 0.98
X-Virus-Scanned: amavisd-new at torriefamily.org
Date: Tue, 23 Jul 2013 09:12:47 -0600
From: Michael Torrie <torriem@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.12) Gecko/20130105 Thunderbird/10.0.12
MIME-Version: 1.0
To: python <python-list@python.org>
Subject: [OT] SPF - was Re: Simple Python script as SMTP server for outgoing e-mails?
References: <gksnu85fe69utl50s4e1tik0bhinndls3m@4ax.com> <mailman.4956.1374418117.3114.python-list@python.org> <pb2ou8577r2ahshc0h3oeqoe25dei9gv1o@4ax.com> <mailman.4966.1374428821.3114.python-list@python.org> <hbhou89g1ie8igtrpl24ajibc2251ea1po@4ax.com> <mailman.4969.1374452915.3114.python-list@python.org> <368qu85msgfhuk2j2s13qj0bqn4rkcint9@4ax.com> <mailman.4973.1374496190.3114.python-list@python.org> <at9qu8tq4gbp5rfgd7mq2eo8ui6uh3vnvg@4ax.com> <CAPTjJmrVChLrcAZvDj4frqEFiy=gJzKP3mGnCRxkM6t6euxcVQ@mail.gmail.com> <51ED3CEB.1070706@gmail.com> <mailman.4980.1374502532.3114.python-list@python.org> <XnsA2065B2C39831duncanbooth@127.0.0.1> <CAPTjJmqAs-eTt71yzu7rBhv=T818wkTj_ZbbX4=zxzztK01zvw@mail.gmail.com> <CAPTjJmoj6a_5fkB5_U520TTNhZZ+xepgxPPrASO=8zOGg5UJYg@mail.gmail.com>
In-Reply-To: <CAPTjJmoj6a_5fkB5_U520TTNhZZ+xepgxPPrASO=8zOGg5UJYg@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.5009.1374592378.3114.python-list@python.org>
Lines: 33
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1374592378 news.xs4all.nl 15946 [2001:888:2000:d::a6]:37435
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:51090

On 07/23/2013 03:30 AM, Chris Angelico wrote:
> On Tue, Jul 23, 2013 at 7:19 PM, Chris Angelico <rosuav@gmail.com> wrote:
>> Ah, there's a solution to this one. You simply use your own
>> envelope-from address; SPF shouldn't be being checked for the From:
>> header.
> 
> There's an example, by the way, of this exact technique right here -
> python-list@python.org sends mail to me with an envelope-from of
> "python-list-bounces+rosuav=gmail.com@python.org" - which passes SPF,
> since python.org has a TXT record designating the sending IP as one of
> theirs. It doesn't matter that invalid.invalid (your supposed domain)
> doesn't have an SPF record, nor would it be a problem if it had one
> that said "v=spf1 -all", because that domain wasn't checked. Mailing
> lists are doing the same sort of forwarding that you're doing.

This is good and all, and I think I will modify my local postfix mail
server I use for personal stuff, just for correctness' sake.

I hadn't spent much time studying SPF in depth before, but after reading
your comments (which were insightful) I'm now more convinced that SPF is
worthless than ever, at least as a spam prevention mechanism.  Spammers
can use throwaway domains that publish very non-strict SPF records, and
spam to their hearts content with random forged from addresses and SPF
checks pass.  The only way around that is to enforce SPF on the From:
header in the e-mail itself, which we all agree is broken.  I've been
reading this:

http://www.openspf.org/FAQ/SPF_is_not_about_spam

Not very encouraging.  When the other expensive options for going after
spammers who have valid SPF records, they propose domain blacklists as a
solution.