| 1 |
On Mon, 05 Dec 2016 14:50:30 -0500 |
| 2 |
"William L. Thomson Jr." <wlt-ml@××××××.com> wrote: |
| 3 |
|
| 4 |
> New thread, others can filter out. |
| 5 |
> |
| 6 |
> On Monday, December 5, 2016 7:25:52 PM EST Robin H. Johnson wrote: |
| 7 |
> > This is the official infra response re SPF in this case. |
| 8 |
> > |
| 9 |
> > On Mon, Dec 05, 2016 at 12:03:02PM -0500, Michael Orlitzky wrote: |
| 10 |
> > > Something is not "off" with our mail servers, and there is |
| 11 |
> > > currently no way to prevent "From" spoofing without significant |
| 12 |
> > > collateral damage. |
| 13 |
> > |
| 14 |
> > Correct. |
| 15 |
> > |
| 16 |
> > Infra does maintain an SPF page as well. |
| 17 |
> > https://wiki.gentoo.org/wiki/Project:Infrastructure/SPF |
| 18 |
> |
| 19 |
> What does infra use to validate SPF records? |
| 20 |
|
| 21 |
AIUI, they only use it as part of overall light spam filtering on |
| 22 |
incoming mail. the only checks on forwarded mail are spam keywords and |
| 23 |
for subscription. (?) |
| 24 |
|
| 25 |
> Having a SPF record alone is not enough. You need to run some |
| 26 |
> software that checks the emails against SPF records, ones I publish |
| 27 |
> for my domain, ones Gentoo publishes for its domains etc. |
| 28 |
> |
| 29 |
> In my case I use ASSP. Which I have used in front of mailing lists as |
| 30 |
> well. Maybe Gentoo needs to put something into place to check SPF |
| 31 |
> records. |
| 32 |
> |
| 33 |
> Unless Gentoo wants to allow spoofing via email on lists as I did on |
| 34 |
> accident the first time and on purpose the 2nd. Spoofing should not |
| 35 |
> be allowed at all on lists. I should not be able to pose as a Gentoo |
| 36 |
> Developer or another on any Gentoo mailing lists. |
| 37 |
|
| 38 |
SPF does not validate the From header in the first place, it only |
| 39 |
verifies the envelope sender. SPF is irrelevant to the concern of email |
| 40 |
sender spoofing from a user perspective. |
| 41 |
|
| 42 |
> Also why is GPG signing no longer required? |
| 43 |
> |
| 44 |
> That alone can help ensure emails are coming from who they say they |
| 45 |
> are. Not sure how I was able to sign an email with an email not part |
| 46 |
> of my GPG key. Not sure if that is kmail bug or by design. |
| 47 |
|
| 48 |
I am fairly confident that it never was. I am fairly confident that no |
| 49 |
mainstream mailing list software checks GPG signatures. |
Archives