Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #51100

Re: [OT] SPF - was Re: Simple Python script as SMTP server for outgoing e-mails?

References (11 earlier) <mailman.4980.1374502532.3114.python-list@python.org> <XnsA2065B2C39831duncanbooth@127.0.0.1> <CAPTjJmqAs-eTt71yzu7rBhv=T818wkTj_ZbbX4=zxzztK01zvw@mail.gmail.com> <CAPTjJmoj6a_5fkB5_U520TTNhZZ+xepgxPPrASO=8zOGg5UJYg@mail.gmail.com> <51EE9D6F.80403@gmail.com>
Date 2013-07-24 07:47 +1000
Subject Re: [OT] SPF - was Re: Simple Python script as SMTP server for outgoing e-mails?
From Chris Angelico <rosuav@gmail.com>
Newsgroups comp.lang.python
Message-ID <mailman.5014.1374616051.3114.python-list@python.org> (permalink)

Show all headers | View raw

On Wed, Jul 24, 2013 at 1:12 AM, Michael Torrie <torriem@gmail.com> wrote:
> On 07/23/2013 03:30 AM, Chris Angelico wrote:
>> On Tue, Jul 23, 2013 at 7:19 PM, Chris Angelico <rosuav@gmail.com> wrote:
>>> Ah, there's a solution to this one. You simply use your own
>>> envelope-from address; SPF shouldn't be being checked for the From:
>>> header.
>>
>> There's an example, by the way, of this exact technique right here -
>> python-list@python.org sends mail to me with an envelope-from of
>> "python-list-bounces+rosuav=gmail.com@python.org" - which passes SPF,
>> since python.org has a TXT record designating the sending IP as one of
>> theirs. It doesn't matter that invalid.invalid (your supposed domain)
>> doesn't have an SPF record, nor would it be a problem if it had one
>> that said "v=spf1 -all", because that domain wasn't checked. Mailing
>> lists are doing the same sort of forwarding that you're doing.
>
> This is good and all, and I think I will modify my local postfix mail
> server I use for personal stuff, just for correctness' sake.

Correctness is a worthwhile reason to do something :)

> I hadn't spent much time studying SPF in depth before, but after reading
> your comments (which were insightful) I'm now more convinced that SPF is
> worthless than ever, at least as a spam prevention mechanism.  Spammers
> can use throwaway domains that publish very non-strict SPF records, and
> spam to their hearts content with random forged from addresses and SPF
> checks pass.  The only way around that is to enforce SPF on the From:
> header in the e-mail itself, which we all agree is broken.  I've been
> reading this:
>
> http://www.openspf.org/FAQ/SPF_is_not_about_spam

There are several things that SPF achieves, but mainly it's a measure
of trust. If you receive email from a domain I run, and the SPF record
permits the IP that sent it to you, you can have a high degree of
confidence that it really is from that domain. Suppose, for instance,
that (pick a bank, any bank) has a strict SPF record. Someone tries to
send a phishing email purporting to be from that bank. They then have
to use a different envelope-from address, which instantly marks the
mail as suspicious to anyone who's checking. But more likely, what
they'll do is simply ignore SPF and send it anyway. That means that
any MTA that checks SPF records is immediately freed of all that bad
mail - which is more than just spam, it's a major vulnerability
(thinking here of corporate networks where all the company's mail goes
through a central server, and then a whole lot of non-technical people
read it). In the same way that banks assure us that they will *never*
ask for your password, they could also assure us that they will
*never* send account information from any other domain.

Spammers look for the easy pickings. If your X million addresses
become (X-1),999,900 because a few servers are rejecting their mail,
what do they care? But those hundred people now haven't seen that
spam. Sure, spammers can easily get around SPF checks... but that
won't get all that likely until the bulk of MTAs start checking. For
now, we can take all the benefit. Later on, the world can look to
other solutions.

ChrisA

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Simple Python script as SMTP server for outgoing e-mails? Gilles <nospam@nospam.com> - 2013-07-21 16:42 +0200
  Re: Simple Python script as SMTP server for outgoing e-mails? Chris Angelico <rosuav@gmail.com> - 2013-07-22 00:48 +1000
    Re: Simple Python script as SMTP server for outgoing e-mails? Gilles <nospam@nospam.com> - 2013-07-21 18:19 +0200
      Re: Simple Python script as SMTP server for outgoing e-mails? Michael Torrie <torriem@gmail.com> - 2013-07-21 11:46 -0600
        Re: Simple Python script as SMTP server for outgoing e-mails? Gilles <nospam@nospam.com> - 2013-07-21 22:34 +0200
          Re: Simple Python script as SMTP server for outgoing e-mails? Ivan Shmakov <oneingray@gmail.com> - 2013-07-21 20:53 +0000
          Re: Simple Python script as SMTP server for outgoing e-mails? Michael Torrie <torriem@gmail.com> - 2013-07-21 18:28 -0600
            Re: Simple Python script as SMTP server for outgoing e-mails? Gilles <nospam@nospam.com> - 2013-07-22 14:11 +0200
              Re: Simple Python script as SMTP server for outgoing e-mails? Chris Angelico <rosuav@gmail.com> - 2013-07-22 22:29 +1000
                Re: Simple Python script as SMTP server for outgoing e-mails? Gilles <nospam@nospam.com> - 2013-07-22 14:38 +0200
                Re: Simple Python script as SMTP server for outgoing e-mails? Chris Angelico <rosuav@gmail.com> - 2013-07-22 22:51 +1000
                Re: Simple Python script as SMTP server for outgoing e-mails? Michael Torrie <torriem@gmail.com> - 2013-07-22 08:08 -0600
                Re: Simple Python script as SMTP server for outgoing e-mails? Chris Angelico <rosuav@gmail.com> - 2013-07-23 00:15 +1000
                Re: Simple Python script as SMTP server for outgoing e-mails? Duncan Booth <duncan.booth@invalid.invalid> - 2013-07-23 08:06 +0000
                Re: Simple Python script as SMTP server for outgoing e-mails? Chris Angelico <rosuav@gmail.com> - 2013-07-23 19:19 +1000
                Re: Simple Python script as SMTP server for outgoing e-mails? Duncan Booth <duncan.booth@invalid.invalid> - 2013-07-23 10:06 +0000
                Strange behaviour with os.linesep Vincent Vande Vyvre <vincent.vandevyvre@swing.be> - 2013-07-23 13:42 +0200
                Re: Strange behaviour with os.linesep Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-07-23 15:25 +0000
                Re: Strange behaviour with os.linesep Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2013-07-23 19:41 -0400
                Re: Strange behaviour with os.linesep Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2013-07-23 19:51 -0400
                Re: Strange behaviour with os.linesep Vincent Vande Vyvre <vincent.vandevyvre@swing.be> - 2013-07-24 09:02 +0200
                Re: Strange behaviour with os.linesep Chris Angelico <rosuav@gmail.com> - 2013-07-24 17:39 +1000
                Re: Strange behaviour with os.linesep Terry Reedy <tjreedy@udel.edu> - 2013-07-24 12:01 -0400
                Re: Strange behaviour with os.linesep Jason Swails <jason.swails@gmail.com> - 2013-07-23 08:39 -0400
                Re: Strange behaviour with os.linesep Vincent Vande Vyvre <vincent.vandevyvre@swing.be> - 2013-07-23 15:10 +0200
                Re: Strange behaviour with os.linesep Vincent Vande Vyvre <vincent.vandevyvre@swing.be> - 2013-07-23 15:26 +0200
                Re: Strange behaviour with os.linesep Jason Swails <jason.swails@gmail.com> - 2013-07-23 09:35 -0400
                Re: Simple Python script as SMTP server for outgoing e-mails? Chris Angelico <rosuav@gmail.com> - 2013-07-24 07:37 +1000
                Re: Simple Python script as SMTP server for outgoing e-mails? Chris Angelico <rosuav@gmail.com> - 2013-07-23 19:30 +1000
                [OT] SPF - was Re: Simple Python script as SMTP server for outgoing e-mails? Michael Torrie <torriem@gmail.com> - 2013-07-23 09:12 -0600
                Re: [OT] SPF - was Re: Simple Python script as SMTP server for outgoing e-mails? Chris Angelico <rosuav@gmail.com> - 2013-07-24 07:47 +1000
                non sequitur: [OT] SPF - was Re: Simple Python script as SMTP server for outgoing e-mails? Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2013-07-23 19:59 -0400
                Re: non sequitur: [OT] SPF - was Re: Simple Python script as SMTP server for outgoing e-mails? Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-07-24 01:42 +0000
                Re: Simple Python script as SMTP server for outgoing e-mails? Sanjay Arora <sanjay.k.arora@gmail.com> - 2013-08-05 18:43 +0530
                Re: Simple Python script as SMTP server for outgoing e-mails? Michael Torrie <torriem@gmail.com> - 2013-07-22 10:25 -0600
                Re: Simple Python script as SMTP server for outgoing e-mails? Chris Angelico <rosuav@gmail.com> - 2013-07-23 02:32 +1000
              Re: Simple Python script as SMTP server for outgoing e-mails? "Eric S. Johansson" <esj@harvee.org> - 2013-07-22 08:54 -0400
                Re: Simple Python script as SMTP server for outgoing e-mails? Gilles <nospam@nospam.com> - 2013-07-23 23:48 +0200
              Re: Simple Python script as SMTP server for outgoing e-mails? Michael Torrie <torriem@gmail.com> - 2013-07-22 08:10 -0600
                Re: Simple Python script as SMTP server for outgoing e-mails? Gilles <nospam@nospam.com> - 2013-07-23 23:50 +0200
  Re: Simple Python script as SMTP server for outgoing e-mails? Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2013-07-21 12:39 -0400
  Re: Simple Python script as SMTP server for outgoing e-mails? Grant Edwards <invalid@invalid.invalid> - 2013-07-21 21:01 +0000
    Re: Simple Python script as SMTP server for outgoing e-mails? Gilles <nospam@nospam.com> - 2013-07-22 14:13 +0200
    Re: Simple Python script as SMTP server for outgoing e-mails? Gilles <nospam@nospam.com> - 2013-07-22 14:19 +0200
      Re: Simple Python script as SMTP server for outgoing e-mails? Grant Edwards <invalid@invalid.invalid> - 2013-07-22 14:10 +0000
      Re: Simple Python script as SMTP server for outgoing e-mails? Michael Torrie <torriem@gmail.com> - 2013-07-22 08:21 -0600
      Re: Simple Python script as SMTP server for outgoing e-mails? Chris Angelico <rosuav@gmail.com> - 2013-07-23 02:12 +1000
      Re: Simple Python script as SMTP server for outgoing e-mails? Nobody <nobody@nowhere.com> - 2013-07-22 21:32 +0100
  Re: Simple Python script as SMTP server for outgoing e-mails? Kevin Walzer <kw@codebykevin.com> - 2013-07-22 10:14 -0400
    Re: Simple Python script as SMTP server for outgoing e-mails? Gilles <nospam@nospam.com> - 2013-07-23 23:53 +0200
      Re: Simple Python script as SMTP server for outgoing e-mails? Kevin Walzer <kw@codebykevin.com> - 2013-07-24 10:38 -0400
        Re: Simple Python script as SMTP server for outgoing e-mails? Gilles <nospam@nospam.com> - 2013-08-01 16:15 +0200
          Re: Simple Python script as SMTP server for outgoing e-mails? Wayne Werner <wayne@waynewerner.com> - 2013-08-03 06:47 -0500
            Re: Simple Python script as SMTP server for outgoing e-mails? Gilles <nospam@nospam.com> - 2013-08-06 12:44 +0200
          Re: Simple Python script as SMTP server for outgoing e-mails? Kevin Walzer <kw@codebykevin.com> - 2013-08-03 21:41 -0400
            Re: Simple Python script as SMTP server for outgoing e-mails? Gilles <nospam@nospam.com> - 2013-08-06 12:45 +0200

csiph-web