
Jamie Baddeley wrote:
I think you might have it around the wrong way. If you were connecting via xtra, and were trying to use telstraclear's smtp server it would fail using this approach, but if memory serves me correctly you can't do this now anyway ( I could be wrong).
See Below.. Both of the following SMTP servers would allow me to fake an email address because I am in their ADSL pool. If I was connected via Xtra I can use Xtra SMTP server to send from any address, which is fine. Under SPF, these would have failed because neither xtra nor paradise are listed as valid SPF SMTP servers for bar.com. It occurs to me that SPF could/may fail open, that is, if the domain does not have an authoritive SPF list, then the mail is accepted. If however, it does, then it may choose to use SMTP after POP to let arbiturary IP's forward mail through it's legitment servers. Also rememeber that most of the 'big' email providers are web based, which means that this should work well for a good deal of forged addresses. Regards James --- Paradise: Trying 203.96.152.32... Connected to smtp.paradise.net.nz. Escape character is '^]'. 220 smtp-1.paradise.net.nz ESMTP Postfix MAIL From: foo(a)bar.com 250 Ok RCPT To: jbs3(a)cs.waikato.ac.nz 250 Ok DATA 354 End data with <CR><LF>.<CR><LF> . 250 Ok: queued as DFF248281B Xtra: Trying 203.96.92.131... Connected to smtp.xtra.co.nz. Escape character is '^]'. 220 mta2-rme.xtra.co.nz ESMTP server ready Sat, 24 Jan 2004 23:27:57 +1300 MAIL From: foo(a)bar.com 250 Sender <foo(a)bar.com> Ok RCPT TO: jbs3(a)cs.waikato.ac.nz 250 Recipient <jbs3(a)cs.waikato.ac.nz> Ok data 354 Ok Send data ending with <CRLF>.<CRLF> . 250 Message received: 20040124102820.NHJT20103.mta2-rme.xtra.co.nz@[<snip>]