Gentoo Archives: gentoo-project

From: "William L. Thomson Jr." <wlt-ml@××××××.com>
To: gentoo-project@l.g.o
Subject: [gentoo-project] Spoofing on list -> Infra response re SPF
Date: Mon, 05 Dec 2016 19:50:38
Message-Id: assp.0147ee6eae.22452990.G782Qcl5LF@wlt
1 New thread, others can filter out.
2
3 On Monday, December 5, 2016 7:25:52 PM EST Robin H. Johnson wrote:
4 > This is the official infra response re SPF in this case.
5 >
6 > On Mon, Dec 05, 2016 at 12:03:02PM -0500, Michael Orlitzky wrote:
7 > > Something is not "off" with our mail servers, and there is currently no
8 > > way to prevent "From" spoofing without significant collateral damage.
9 >
10 > Correct.
11 >
12 > Infra does maintain an SPF page as well.
13 > https://wiki.gentoo.org/wiki/Project:Infrastructure/SPF
14
15 What does infra use to validate SPF records?
16
17 Having a SPF record alone is not enough. You need to run some software that
18 checks the emails against SPF records, ones I publish for my domain, ones
19 Gentoo publishes for its domains etc.
20
21 In my case I use ASSP. Which I have used in front of mailing lists as well.
22 Maybe Gentoo needs to put something into place to check SPF records.
23
24 Unless Gentoo wants to allow spoofing via email on lists as I did on accident
25 the first time and on purpose the 2nd. Spoofing should not be allowed at all on
26 lists. I should not be able to pose as a Gentoo Developer or another on any
27 Gentoo mailing lists.
28
29 Also why is GPG signing no longer required?
30
31 That alone can help ensure emails are coming from who they say they are. Not
32 sure how I was able to sign an email with an email not part of my GPG key. Not
33 sure if that is kmail bug or by design.
34
35 --
36 William L. Thomson Jr.

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies