[ale] Gmail accepts spam when you use email forwarding

Jim Popovitch jimpop at gmail.com
Tue Dec 15 12:11:49 EST 2009 

DKIM is just as much as a problem.  Google/Yahoo/Hotmail can only
trust the header lines that they themselves inject.  A spammer can set
any header line and DKIM sign the email and send it from a host with
proper SPF, happens all the time (look no further than free credit
report spam).

-Jim P.

On 2009-12-15, Brandon Checketts <brandon at brandonchecketts.com> wrote:
> This is a weakness of SPF, and why Google, Yahoo, and others are
> championing DKIM.
>
> Also, remember that attempts at sender validation (ie: SPF and DKIM)
> don't indicate whether a message is spam or not (spammers can use them
> too).  It just makes it possible to build a reputation based on the
> sender address.
>
> Thanks,
> Brandon Checketts
>
>
>
> Jim Popovitch wrote:
>>>From Google's perspective, Line 08 could always be spoofed so Google
>> only relies on what Google knows to be true.
>>
>> -Jim P.
>>
>> On 2009-12-15, Richard Bronosky <Richard at bronosky.com> wrote:
>>> Let me know if Google is in the wrong, or I am crazy.
>>> What I have is a postfix server on slicehost that I use solely for the
>>> purpose setting up @bronosky.com email forwarders for members of my
>>> family, and as an outgoing mail server (which I have Gmail using!).
>>> Most of us are using Gmail now, but some of the stragglers are still
>>> on Hotmail or Yahoo!. For the past week 15 times a day I have been
>>> receiving and reporting as spam the same message (nearly) with very
>>> similar heads.
>>>
>>> line01: Delivered-To: richardbronosky at gmail.com
>>> line02: Received: by 10.220.108.106 with SMTP id e42cs49574vcp; Tue,
>>> 15 Dec 2009 00:24:04 -0800 (PST)
>>> line03: Received: by 10.216.90.196 with SMTP id
>>> e46mr2408469wef.194.1260865444149; Tue, 15 Dec 2009 00:24:04 -0800
>>> (PST)
>>> line04: Return-Path: <nmike at bronosky.com>
>>> line05: Received: from slice1.bronosky.com (slice1.bronosky.com
>>> [174.143.204.116]) by mx.google.com with ESMTP id
>>> t12si19704611gvd.5.2009.12.15.00.24.02; Tue, 15 Dec 2009 00:24:03
>>> -0800 (PST)
>>> line06: Received-SPF: pass (google.com: best guess record for domain
>>> of nmike at bronosky.com designates 174.143.204.116 as permitted sender)
>>> client-ip=174.143.204.116;
>>> line07: Authentication-Results: mx.google.com; spf=pass (google.com:
>>> best guess record for domain of nmike at bronosky.com designates
>>> 174.143.204.116 as permitted sender) smtp.mail=nmike at bronosky.com
>>> line08: Received: from alixpartners.com (unknown [116.68.243.172]) by
>>> slice1.bronosky.com (Postfix) with SMTP id 6D0A017643 for
>>> <deadmail at bronosky.com>; Tue, 15 Dec 2009 08:26:44 +0000 (UTC)
>>> line09: From: VIAGRA ® Reseller <deadmail at bronosky.com>
>>> line10: To: deadmail at bronosky.com
>>> line11: Subject: Deal of the Day: Save 76%
>>> line12: MIME-Version: 1.0
>>> line13: Content-Type: text/html; charset="ISO-8859-1"
>>> line14: Content-Transfer-Encoding: 7bit
>>> line15: Message-Id: <20091215082645.6D0A017643 at slice1.bronosky.com>
>>> line16: Date: Tue, 15 Dec 2009 08:26:44 +0000 (UTC)
>>>
>>> the part that really sucks are line06 and line07. All mail for
>>> @bronosky.com is going to come to Google forwarded from
>>> slice1.bronosky.com because that's the way it is. Where I believe
>>> Google is goofing up is that they are SPF checking the IP from line05
>>> instead of the IP from line08. So, the trick to spamming any Gmail
>>> user who forwards from another domain is the set the From: header to
>>> an address @ that domain. Seems like a huge fail to me.
>>>
>>> Please opine.
>>>
>>> --
>>> .!# RichardBronosky #!.
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>

More information about the Ale mailing list