On Sat, 2004-01-24 at 23:35, James Spooner wrote:
It occurs to me that SPF could/may fail open, that is, if the domain does not have an authoritive SPF list, then the mail is accepted.
Yep, and that's what I would expect. Otherwise you couldn't implement SPF incrementally.
If however, it does, then it may choose to use SMTP after POP to let arbiturary IP's forward mail through it's legitment servers. Also rememeber that most of the 'big' email providers are web based, which means that this should work well for a good deal of forged addresses. ahh, but I believe that the 'big' spammers don't use http as an interface for a spam run.
Regards
James
---
Paradise:
Trying 203.96.152.32... Connected to smtp.paradise.net.nz. Escape character is '^]'. 220 smtp-1.paradise.net.nz ESMTP Postfix MAIL From: foo(a)bar.com 250 Ok RCPT To: jbs3(a)cs.waikato.ac.nz 250 Ok DATA 354 End data with <CR><LF>.<CR><LF> . 250 Ok: queued as DFF248281B
Xtra:
Trying 203.96.92.131... Connected to smtp.xtra.co.nz. Escape character is '^]'. 220 mta2-rme.xtra.co.nz ESMTP server ready Sat, 24 Jan 2004 23:27:57 +1300 MAIL From: foo(a)bar.com 250 Sender
Ok RCPT TO: jbs3(a)cs.waikato.ac.nz 250 Recipient Ok data 354 Ok Send data ending with <CRLF>.<CRLF> . 250 Message received: 20040124102820.NHJT20103.mta2-rme.xtra.co.nz@[<snip>]