Jamie Baddeley wrote:
I think you might have it around the wrong way. If you were connecting via xtra, and were trying to use telstraclear's smtp server it would fail using this approach, but if memory serves me correctly you can't do this now anyway ( I could be wrong).
See Below..
Both of the following SMTP servers would allow me to fake an email address
because I am in their ADSL pool.
If I was connected via Xtra I can use Xtra SMTP server to send from any
address, which is fine. Under SPF, these would have failed because neither
xtra nor paradise are listed as valid SPF SMTP servers for bar.com.
It occurs to me that SPF could/may fail open, that is, if the domain does
not have an authoritive SPF list, then the mail is accepted. If however, it
does, then it may choose to use SMTP after POP to let arbiturary IP's
forward mail through it's legitment servers. Also rememeber that most of
the 'big' email providers are web based, which means that this should work
well for a good deal of forged addresses.
Regards
James
---
Paradise:
Trying 203.96.152.32...
Connected to smtp.paradise.net.nz.
Escape character is '^]'.
220 smtp-1.paradise.net.nz ESMTP Postfix
MAIL From: foo(a)bar.com
250 Ok
RCPT To: jbs3(a)cs.waikato.ac.nz
250 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
.
250 Ok: queued as DFF248281B
Xtra:
Trying 203.96.92.131...
Connected to smtp.xtra.co.nz.
Escape character is '^]'.
220 mta2-rme.xtra.co.nz ESMTP server ready Sat, 24 Jan 2004 23:27:57 +1300
MAIL From: foo(a)bar.com
250 Sender