Rick Moen <rick@???> wrote:

> Back in the day, I gave out /etc/aliases entries to friends that
> leveraged the 'mafia' theme of my linuxmafia.com domain,

In our case it was simple alias entries ina database queried by Postfix - but same effect and same problem.

> SRS (sender rewriting scheme) was SPF creator Meng Wong's kludge for
> salvaging /etc/alias and ~/.forward (when used cross-domain) from
> unintended collateral SPF damage.

Perhaps I'm missing something, but doesn't SRS provide a gaping wide chasm for spammers to pile through ? It always seemed to me a bit like server C getting a header that's been re-written in scuh a manner by server B that server C is expected to accept it as though server B is pinkie swearing that the forwarded mail is genuine and did come from server A. Or more precisely, server B effectively saying "this message from some other domain, well pretend it's coming from my domain"- so all a spammer has to do is forge (in a correct manner) the re-written from address and the spam bypasses SPF.
I guess that's why DKIM etc came along.

> Wong provided a Perl wrapper script to rewrite the SMTP envelope on the outbound copy, emulating what MLMs do.

it was a few years ago now, so details are "a bit fuzzy" to say the least. In our case using Postfix, it needed some plugin to do it - and I think this plugin re-wrote all addresses regardless of where the email was headed. Due to the way the two services were done, the greylisting (part of policyd, aka Cluebringer) was done on the re-written address, and since this (IIRC) changed each day then few emails ever got the "seen this triplet before, straight through" treatment and so nearly all mail was delayed. Funny how users get to expect "instant" email even though there's never ever been any guarantee of instant delivery :-/

But at least my service did something that apparently the likes of Google and Microsoft couldn't manage - I did not have to silently delete mail that failed spam or embedded nasties checks. I rejected the messages so that any properly configured server would notify the sender that the message wasn't delivered. I was always proud of that bit.