On March 12, 2024 11:42:11 PM UTC, John Levine <jo...@taugh.com> wrote:
>It appears that Scott Kitterman <skl...@kitterman.com> said:
>>Or, as RFC 4408 and RFC 7208 warn against, ESPs don't allow customers to send
>>mail for anything other than their own domains. ESP customers, don't use
>>ESPs that do this.
>
>It's not just ESPs. There's a widely reported bug that lets anyone
>whose mail is hosted at Microsoft send SPF-compliant mail pretending
>to be any other MS customer.
>
>The BreakSPF paper describes a bunch of other ways to send mail
>through various clouds such as pointing a web proxy at someone's port
>25 and sending SMTP commands inside HTTP, which works a lot more often
>than you might imagine.
>
And yet people seem surprised that there's no security when the basics of such
things are ignored. These are not protocol problems.
Scott K
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc