Sorry to butt in on this one...Yes, SPF would fail on other systems as well in that situation.
If the client connects directly to AOL, SPF would fail. But if it is sent through the mailserver, it should not fail.
As far as I can tell, SPF-PASS is not useful because there is nothing stopping a spammer that owns a server to set SPF up for it.
True -- but that makes it easier to detect the spammers. Once they have a domain to use, it can be blocked. People will likely start RHSBLs listing domains that have sent out spam that appear to be owned by spammers.
Setting up SPF for your domain is also IMO a bad idea unless you can guarantee that all of your users will only come from certain IP's when they send E-mail. For instance, although I prefer to be the outgoing SMTP server for my clients, some of them are either blocked by their ISP from sending E-mail through my server (port 25 blocking), or they just simply chose to set up their computers to use their ISP's mail server instead of our own. Therefore, I don't have a single client that I can guarantee that they will be coming from a particular range of IP's.
In this case, what you should do is use "v=spf1 mx ?all". That says "If the E-mail is coming from an IP in our MX record, we authorize it. If it is coming from any other IP, we can't say whether or not it is legitimate -- treat it the same as if we have no SPF record."
If you don't know all the IPs that users may send mail from, using "-all" at the end ("anyone not listed in the SPF record is not authorized to send mail from this domain" is bad. But using "?all" at the end lets users who do send mail through your mailserver pass SPF, whereas nobody else will fail. Yes, it provides less protection from joe jobs (spammers using your domain may or may not get their mail through, since SPF won't prevent them), but it also allows your other users to get their mail through.
You can set up SPF for you domain that states that the domain can be used from any IP, however I don't see any value in stating that something can come from anywhere when that in effect is the status quo.
Using "+all" is definitely bad (you're giving spammers permission to send mail from your domain). But "?all" is fine.
Practically speaking, it's the openness of E-mail and the fact that it was never designed or implemented to prevent spoofing that is the cause of this problem, and the best way to get at the issue might be to simply re-write SMTP to allow for authentication of non-local E-mail.
I believe that would be the best answer. Unfortunately, that is a huge undertaking -- the amount of time it would take to get a good group of people to write it and agree to it, plus the time it would take to implement (all mail clients would need to be re-written), would make it very time consuming.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
