Comments on: MAIL FROM vs From vs Sender – exploiting SPF http://www.eisbox.net/2009/07/23/2395-mail-from-vs-from-vs-sender-exploiting-spf/ ... projects, thoughts, etc. Mon, 06 Sep 2010 06:08:50 +0000 hourly 1 http://wordpress.org/?v=3.0 By: Genevive Schnebly http://www.eisbox.net/2009/07/23/2395-mail-from-vs-from-vs-sender-exploiting-spf/comment-page-1/#comment-14593 Genevive Schnebly Sat, 22 May 2010 09:31:58 +0000 http://www.eisbox.net/?p=2395#comment-14593 Hi! Your blog is great and is a good read! Hi! Your blog is great and is a good read!

]]> By: Mathew Eis http://www.eisbox.net/2009/07/23/2395-mail-from-vs-from-vs-sender-exploiting-spf/comment-page-1/#comment-14095 Mathew Eis Sat, 12 Sep 2009 21:46:11 +0000 http://www.eisbox.net/?p=2395#comment-14095 Hi Eric, Thanks for the note. It did bring up some good points. In the context of my filtering solution, note that I discard messages only from the business domain where the MAIL FROM and From: header don't match. As the sysadmin for the company, I can vouch for the fact that they use only the internal e-mail system. I can't guarantee what other companies are doing, so messages from all other domains are filtered according to standard RFC4408. So, in your case, your message would get through just fine, unless you were sending mail To: ourcompany.com using a From: ourcompany.com, which simply should not be taking place. I think the first question that comes to mind is *why* you would need to send an e-mail on behalf of another user on another domain? If you consider that the administrator of a domain has put strict SPF records on a domain, then chances are good that implies that they don't want servers sending e-mail for their domain other than the ones they have allowed in the SPF records. Using your example, I don't understand why website.com can't simply send out an e-mail with something like the following: From: "Website on behalf of John Doe" Reply-To: john_doe@company.com The above example is perfectly conforming to RFC822, breaks no rules, and makes no presumptions to be someone it's not. If, for some reason, the business purposes of John Doe absolutely required that he send e-mail via website.com as john_doe@company.com, then it should be a trivial matter for John Doe to get his systems administrator to add company.com's mail relays his spf records. I'd love to continue this discussion if the above doesn't help. Just let me know. Sincerely, -Mathew Eis Hi Eric,

Thanks for the note. It did bring up some good points.

In the context of my filtering solution, note that I discard messages
only from the business domain where the MAIL FROM and From: header
don’t match. As the sysadmin for the company, I can vouch for the
fact that they use only the internal e-mail system. I can’t guarantee
what other companies are doing, so messages from all other domains are
filtered according to standard RFC4408. So, in your case, your message
would get through just fine, unless you were sending mail To:
ourcompany.com using a From: ourcompany.com, which simply should not
be taking place.

I think the first question that comes to mind is *why* you would need
to send an e-mail on behalf of another user on another domain? If you
consider that the administrator of a domain has put strict SPF records
on a domain, then chances are good that implies that they don’t want
servers sending e-mail for their domain other than the ones they have
allowed in the SPF records.

Using your example, I don’t understand why website.com can’t simply
send out an e-mail with something like the following:
From: “Website on behalf of John Doe”
Reply-To: john_doe@company.com

The above example is perfectly conforming to RFC822, breaks no rules,
and makes no presumptions to be someone it’s not.

If, for some reason, the business purposes of John Doe absolutely
required that he send e-mail via website.com as john_doe@company.com,
then it should be a trivial matter for John Doe to get his systems
administrator to add company.com’s mail relays his spf records.

I’d love to continue this discussion if the above doesn’t help. Just
let me know.

Sincerely,

-Mathew Eis

]]> By: Eric http://www.eisbox.net/2009/07/23/2395-mail-from-vs-from-vs-sender-exploiting-spf/comment-page-1/#comment-13793 Eric Thu, 06 Aug 2009 19:20:21 +0000 http://www.eisbox.net/?p=2395#comment-13793 You have raised a very interesting point, and something I would love to discuss further with you. I am having exactly this problem to figure out how to legitimately send emails from a webserver on behalf of someone else. Given someone who has put in restrictions such as you have, I can't see any valid way. For example, I have a website www.website.com that will send an email to an individual on your behalf (your_behalf@email.com) when you click on a particular button. So if I simply put the From: as your_behalf@email.com and specify the sender as being webemail@website.com, by default the mail server will use the From: as the envelope address (MAIL FROM). This obviously will fail on SPF check as an SPF record for email.com will show that they are not permitted from website.com mailserver. So the next bet would be to modify the envelope address to be from webemail@website.com. So now we're at the stage where you have the following that should pass SPF: MAIL FROM: webemail@website.com From: your_behalf@email.com Sender: webemail@website.com However, based on your additional filtering, this type of email would be rejected. Any ideas, thoughts, and/or suggestions how to accomplish this "legally"? If you want, you can email me directly as well. Thanks, Eric You have raised a very interesting point, and something I would love to discuss further with you. I am having exactly this problem to figure out how to legitimately send emails from a webserver on behalf of someone else. Given someone who has put in restrictions such as you have, I can’t see any valid way.

For example, I have a website http://www.website.com that will send an email to an individual on your behalf (your_behalf@email.com) when you click on a particular button.

So if I simply put the From: as your_behalf@email.com and specify the sender as being webemail@website.com, by default the mail server will use the From: as the envelope address (MAIL FROM). This obviously will fail on SPF check as an SPF record for email.com will show that they are not permitted from website.com mailserver. So the next bet would be to modify the envelope address to be from webemail@website.com.

So now we’re at the stage where you have the following that should pass SPF:
MAIL FROM: webemail@website.com
From: your_behalf@email.com
Sender: webemail@website.com

However, based on your additional filtering, this type of email would be rejected.

Any ideas, thoughts, and/or suggestions how to accomplish this “legally”?

If you want, you can email me directly as well.

Thanks,

Eric

]]>