[RFCI-Discuss] Yahoo break RFC

[Frank Ellermann]

Jeff Pang wrote:

> Arcor.de 's SPF was set to "~all", and yahoo MTA set "mail from:"
> address with the account of arcor's when in smtp talking session
> to other MTAs, so other MTAs which do the filters based on SPF
> will reject this message.

The tilde in ~all means SOFTFAIL, it's for testing.  Some receivers
might treat it like FAIL, others like NEUTRAL.  The specification
in RFC 4408 proposes a "temporary reject" (4xx) in the style of
grey listing.  

SOFTFAIL is rather dangerous from a sender's POV, unlike a clean 
"reject" it could "eat" mail by dumping them in a "spam" folder 
where the receiver never checks what went wrong.  E.g. it could
be a problem on the side of the receiver checking SPF not at the 
"border", but too late.

Your real issue is "does Yahoo break an RFC ?"  They don't break
RFC 2821 or its predecessors, it's not strictly forbidden to use
a bogus envelope sender address.  Unfortunately, some years ago
the spammers started to abuse this SMTP design flaw.

SPF only offers to fix this flaw for those who want it with FAIL
policies (sender) and rejecting FAIL (receiver).  Arcor and Gmail
aren't forced to do this, and Yahoo is anyway a hopeless case.

BTW, some months ago my Google account had no Gmail address, and
for some feature Google had to send mail on behalf of my account
to a GMX.net mailbox rejecting SPF FAIL.

Google forged mail from my FAIL protected ???@xyzzy.claranet.de
address associated with this account to GMX, GMX rejected it,
and Google sent the bounce to xyzzy.claranet.de.  After that 
adventure I signed up for a Gmail account, "hostile to privacy"
or not, at least it works for me.

 Frank