Friday, 11 February 2005

Bitten by SPF

Categories: , , .

Oh dear. The Law of Unintended Consequences is hard at work again...

When people post blog comments here, they also get emailed to the author of the original blog post. The email has the commenter's address as the sender, even though it was actually sent by the blog software. This causes a problem if the author's email is filtered using SPF!

To recap SPF: it allows a domain owner to say who can send on behalf of the domain. The domain owner publishes a list of IP addresses or address ranges in the DNS. A receiving email server can compare the sending IP address against the SPF list for the sending domain. It's a way of spotting sender forgeries, which are hallmarks of spam and phishing.

So what went wrong in this case? Naturally, the blog server doesn't appear on the SPF list for the domain where the comment author lives. In other words, the blog software isn't permitted to send on behalf of the comment author's domain, so it looks to an SPF filter that the message is forged.

In a sense, it is forged, I suppose. But this sort of "legitimate forgery" is commonplace in applications. The ease of doing this with SMTP is one of the key reasons why spam is such a problem.

Applications now need to be much more cautious about doing this sort of stuff. Meng has an illustration, calling this sort of thing "ugly." What was acceptable a year or two ago just isn't any more. Really. Get over it.

1 comment:

Glenn Reid said...

The right way to handle this, I think, is to have another email header field defined, something like "On-Behalf-Of: Glenn Reid" that would get displayed instead of, or in addition to, the "From:" field. Then blog servers and others could put their own real return address in From: and put On-Behalf-Of: to show the person on whose behalf the email is being sent.

Now to modify all those email servers and clients out there to make this trivial change... :)

Post a comment