One of the really promising new anti-spam technogies which is really starting to gain some ground on the net (lots of people are actually using it now) is SPF. It works by having ISPs create DNS entries which list what servers are allowed to send email using their domain name. Since most spammers forge their headers, this makes it really easy to block spam that claims to be from an ISP that has those entries set up.
One of the minor problems with this is it completely breaks the existing notion of a “mail forwarding mailbox.” A little known fact is that we don’t have an in-house mail system at the Mozilla Foundation yet for people to pick up email from (there isn’t really a need for one yet). When you see someone with an @mozilla.org email address, that mail is redirected somewhere else (usually to that person’s home ISP or their own server) after it gets to mozilla.org. With traditional mail forwarding, the mozilla.org mail server would take that email with the @mozilla.org recipient on it, and just change the recipient address to the final destination address and send it on its way, without touching the sender address.
Now enter the age of SPF. The person sending this hypothetical email from @somedomain.com is using an ISP that has one of those SPF records set up. One of the ISPs that several Mozilla Foundation employees use, just started blocking mail if the SPF records don’t match. They receive the email and it says it’s from @somedomain.com. They look up the SPF record for somedomain.com, and get the list of authorized servers to use that domain. But guess what? It didn’t come from that server, it came from rheet.mozilla.org. Bounce.
They have a solution for that, but the solution is causing yet more trouble for us, and I could use some ideas. Continue reading “SPF and SRS and friends”