Mailing List Archive: SPF: Deployment

the "?all" rationnal

Index | Next | Previous | View Threaded

jmp at safe

Oct 22, 2004, 8:49 AM

Post #1 of 9 (4283 views)
Permalink

the "?all" rationnal

Bonjour a tous,

Seems a LOT of SPF deployed include "?all"
see AOL:
v=spf1 ip4:152.163.225.0/24 ip4:205.188.139.0/24 ip4:205.188.144.0/24 ip4:205.188.156.0/23 ip4:205.188.159.0/24 ip4:64.12.136.0/23 ip4:64.12.138.0/24 ptr:mx.aol.com ?all

What is the purpose to define a complex SPF but at the end
saying "by the way, forget about me"?

What is the rationnal to put "?all" in production ("~all"
I can understand)?
SPF is a tool to avoid E-mail forgery adding "?all"
is just breaking down the detector... should we
tag all received E-mail under the "?all" status
as SPAM?

A bientot
--
==========================================================================
Jean-Marc Pigeon Internet: Jean-Marc.Pigeon [at] safe
SAFE Inc. Phone: (514) 493-4280 Fax: (514) 493-1946
==========================================================================

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-deployment [at] v2

Matthew.van.Eerde at hbinc

Oct 22, 2004, 2:29 PM

Post #2 of 9 (4019 views)
Permalink

RE: the "?all" rationnal [In reply to]

Jean-Marc Pigeon wrote:
> What is the rationnal to put "?all" in production ("~all" I can
> understand)? SPF is a tool to avoid E-mail forgery adding "?all"
> is just breaking down the detector... should we
> tag all received E-mail under the "?all" status
> as SPAM?
>
>
> A bientot

There's plenty of spam software out there that works on a point system (SpamAssassin, for example.) A + result would be worth some "non-spam" points. A - result would be worth many "spam" points, or even outright rejection. A ? result would be neutral - no points either way.

So publishing an SPF record with + records and an eventual ... ?all allows you to give the benefit of authority to your + records, without penalizing your users who are using (say) a "send this page to a friend" tool that forges the From field.

Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-deployment [at] v2

jmp at safe

Oct 22, 2004, 4:34 PM

Post #3 of 9 (4008 views)
Permalink

Re: the "?all" rationnal [In reply to]

Bonjour Matthew.van.Eerde [at] hbinc,

> There's plenty of spam software out there that works on a point system (SpamAssassin, for example.) A + result would be worth some "non-spam" points. A - result would be worth many "spam" points, or even outright rejection. A ? result would be neutral - no points either way.
>
> So publishing an SPF record with + records and an eventual ... ?all allows you to give the benefit of authority to your + records, without penalizing your users who are using (say) a "send this page to a friend" tool that forges the From field.
>
~all, "soft fail" could/should be used for that.

In term of deployment I disagree, If 'we' are too lazy
giving the "?all" to all SPF definition, SPF can't be
used in an effective way.

We are 'crunching' around 15000 Email/hours here, 95% is
pure scrap, not worth the trouble to even receive them,
SPF is a good way to say "yes this mail is really
coming from them, lets check it more deeply"

One of my customer, told me, "When SPF will be really
deployed, we'll configure our sendmail not receive
any E-mail but the one with a good SPF"...
"?all", (inserted by sysadmin laziness?), means we can't
use the SPF tools to its full potential (IE: Yes, there is an SPF
record, but please if remote IP is not in the list, lets
forgot about SPF). IMHO it is too bad...
(Is the E-mail coming from that domain Yes or Not, I still
don't know?)

SPF_Pass:
- if IP is within OSBL database -> official SPAM
(can be tagged as such).
SPF_fail:
- -> outright rejection
SPF_neutral:
- if IP is within OSBL database -> outright rejection

Problem OSBL database are not that reliable and very
heavy to maintain, so why not try to deploy a clean "SPF"?

A bientot
--
==========================================================================
Jean-Marc Pigeon Internet: Jean-Marc.Pigeon [at] safe
SAFE Inc. Phone: (514) 493-4280 Fax: (514) 493-1946
==========================================================================

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-deployment [at] v2

rand at sendmail

Oct 22, 2004, 6:27 PM

Post #4 of 9 (4014 views)
Permalink

Re: the "?all" rationnal [In reply to]

On Fri, 22 Oct 2004, Jean-Marc Pigeon wrote:

> Bonjour Matthew.van.Eerde [at] hbinc,
>
> > There's plenty of spam software out there that works on a point system
> > (SpamAssassin, for example.) A + result would be worth some
> > "non-spam" points. A - result would be worth many "spam" points, or
> > even outright rejection. A ? result would be neutral - no points
> > either way.

This is ridiculously dangerous. Taking a successful authentication of a
message to in any way indicate that the message may be "non-spam" is
exactly what the spammers want you to do, which is why they are some of
the fastest adopters of SPF.

Successful authentication should open up a new avenue to message
processing...check against an authenticated allow-list, look up the
reputation of the *domain* (not just the IP address), send a
challenge-response message without worring that you're spamming some poor
person whose been spoofed. Just taking authentication data to be a
positive indicator will lead to all kinds of problems (look for the
SpamAssassin rules that *used* to give preferential treatment to PGP sig
blocks or Habeus headers, and see how the spammers latched on to those).

> In term of deployment I disagree, If 'we' are too lazy
> giving the "?all" to all SPF definition, SPF can't be
> used in an effective way.

Are you confident that even if something came through, didn't pass, and
the record indicated '-all' that you would want to outright reject it?
What if the message went through a forwarder at the request of one of your
users (the receiver)?

> We are 'crunching' around 15000 Email/hours here, 95% is
> pure scrap, not worth the trouble to even receive them,
> SPF is a good way to say "yes this mail is really
> coming from them, lets check it more deeply"

Totally agree.

-Rand

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-deployment [at] v2

jmp at safe

Oct 22, 2004, 6:44 PM

Post #5 of 9 (4017 views)
Permalink

Re: the "?all" rationnal [In reply to]

Bonjour Rand Wacker,
>
> > In term of deployment I disagree, If 'we' are too lazy
> > giving the "?all" to all SPF definition, SPF can't be
> > used in an effective way.
>
> Are you confident that even if something came through, didn't pass, and
> the record indicated '-all' that you would want to outright reject it?
> What if the message went through a forwarder at the request of one of your
> users (the receiver)?
My personnal answer is YES, we all know SPF weakness is relaying,
IMHO, better to forget about (wild) relaying and make sure
the Mail is fully endorsed by originating Domain.
Such we can work to give more or less credibility on the
orginating domain...

That's why, I still think having an "?all" at the end of
the SPF is a way to "shut down" the full SPF purpose...
("?all" is usefull for testing before SPF deployment
but I am worry about so much domain in production still having
such status)

A bientot
--
==========================================================================
Jean-Marc Pigeon Internet: Jean-Marc.Pigeon [at] safe
SAFE Inc. Phone: (514) 493-4280 Fax: (514) 493-1946
==========================================================================

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-deployment [at] v2

wayne at midwestcs

Oct 23, 2004, 10:56 AM

Post #6 of 9 (4030 views)
Permalink

Re: the "?all" rationnal [In reply to]

In <Pine.LNX.4.58.0410221820570.21617 [at] snoopy> Rand Wacker <rand [at] sendmail> writes:

> On Fri, 22 Oct 2004, Jean-Marc Pigeon wrote:
>
>> Bonjour Matthew.van.Eerde [at] hbinc,
>>
>> > There's plenty of spam software out there that works on a point system
>> > (SpamAssassin, for example.) A + result would be worth some
>> > "non-spam" points. A - result would be worth many "spam" points, or
>> > even outright rejection. A ? result would be neutral - no points
>> > either way.
>
> This is ridiculously dangerous. Taking a successful authentication of a
> message to in any way indicate that the message may be "non-spam" is
> exactly what the spammers want you to do, which is why they are some of
> the fastest adopters of SPF.

Yep. Fortunately, people like the SpamAssassin developers understand
this point and haven't given a positive score to SPF passes. (Ok,
tecnically the do give a positive score, but the score is so low that
it will never have any pratical effect, other than recording the fact
that the SPF pass was detected.)

> Successful authentication should open up a new avenue to message
> processing...check against an authenticated allow-list,

Yep. An SPF PASS means that you are very (but not absolutely) safe in
using the domain for whitelisting or blacklisting.

An SPF FAIL means that you are fairly (but not very) safe in assuming
that the email is forged. An SPF SOFTFAIL is similar, but even less
certain.

An SPF NEUTRAL or NONE means nothing.

In <20041022233401.GH11442 [at] montreal> Jean-Marc Pigeon <jmp [at] safe> writes:

> Bonjour Matthew.van.Eerde [at] hbinc,
>>In <20041022154913.GF11442 [at] montreal> Jean-Marc Pigeon <jmp [at] safe> writes:
>>
>>> Seems a LOT of SPF deployed include "?all" see AOL:
>>
>> So publishing an SPF record with + records and an eventual ... ?all
>> allows you to give the benefit of authority to your + records,
>> without penalizing your users who are using (say) a "send this page
>> to a friend" tool that forges the From field.
>>
> ~all, "soft fail" could/should be used for that.

I agree that ~all is better. AOL published their SPF record during a
one or two month gap when SOFTFAIL has been taken out of the spec.
AOL was given as an example of someone who would benefit by putting it
back into the spec.

-wayne

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-deployment [at] v2

spf2 at kitterman

Oct 25, 2004, 11:51 AM

Post #7 of 9 (4009 views)
Permalink

RE: the "?all" rationnal [In reply to]

>-----Original Message-----
>From: owner-spf-deployment [at] v2
>[mailto:owner-spf-deployment [at] v2]On Behalf Of Jean-Marc
>Pigeon
>Sent: Friday, October 22, 2004 11:49 AM
>To: spf-deployment [at] v2
>Subject: [spf-deployment] the "?all" rationnal
>
>
>Bonjour a tous,
>
> Seems a LOT of SPF deployed include "?all"
> see AOL:
> v=spf1 ip4:152.163.225.0/24 ip4:205.188.139.0/24
>ip4:205.188.144.0/24 ip4:205.188.156.0/23 ip4:205.188.159.0/24
>ip4:64.12.136.0/23 ip4:64.12.138.0/24 ptr:mx.aol.com ?all
>
> What is the purpose to define a complex SPF but at the end
> saying "by the way, forget about me"?
>
> What is the rationnal to put "?all" in production ("~all"
> I can understand)?
> SPF is a tool to avoid E-mail forgery adding "?all"
> is just breaking down the detector... should we
> tag all received E-mail under the "?all" status
> as SPAM?
>
E-mail that matches a ?all mechanism returns a result of NEUTRAL (which
means do with it what you would do if there were no SPF record at all). If
you tag all e-mail from domains that don't have an SPF record as SPAM (not
recommended), then go right ahead.

Messages that fall off the end of a record with ?all is one source of
NEUTRAL results. Another source is mail sent from a mail server not under
the administrative control of the domain owner (shared MTAs). Most of these
servers do not, today, have technical mechanisms in place to prevent
authorized users of the MTA from forging the mail from/return path address
of other authorized users. As a result, many domain owners who use shared
MTAs (such as myself) use ?include:yyy.isp.net (or other mechanisms as
appropriate) to avoid the risk of being victimized by cross-customer forgery
on the shared MTA. These types of messages are very unlikely to be
forgeries, but don't get a PASS because one can't be sure.

The published SPF specs call for messages getting a NEUTRAL to be treated as
if there were no SPF record for the domain. This is the prudent course to
take.

Scott Kitterman

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-deployment [at] v2

jmp at safe

Oct 25, 2004, 1:05 PM

Post #8 of 9 (4021 views)
Permalink

Re: the "?all" rationnal [In reply to]

Bonjour spf2 [at] kitterman,

> > What is the purpose to define a complex SPF but at the end
> > saying "by the way, forget about me"?
> >
> > What is the rationnal to put "?all" in production ("~all"
> > I can understand)?
> > SPF is a tool to avoid E-mail forgery adding "?all"
> > is just breaking down the detector... should we
> > tag all received E-mail under the "?all" status
> > as SPAM?
> >
> E-mail that matches a ?all mechanism returns a result of NEUTRAL (which
> means do with it what you would do if there were no SPF record at all). If
> you tag all e-mail from domains that don't have an SPF record as SPAM (not
> recommended), then go right ahead.
I have difficulties with the concept to set a well defined
SPF record and end it with "anyway doesn't matter"
My concern is about effectivness of the tool, if
we are saying "SPF is the solution to avoid E-mail
forgery" and in the same time, by "laziness", we
say "if SPF is not positive, lets be neutral, accept the
E-mail anyway" my guess it will be difficult to
set this tool as an effective way to discrimate
trouble maker and get a wide adoption...
>
> Messages that fall off the end of a record with ?all is one source of
> NEUTRAL results. Another source is mail sent from a mail server not under
> the administrative control of the domain owner (shared MTAs). Most of these
> servers do not, today, have technical mechanisms in place to prevent
> authorized users of the MTA from forging the mail from/return path address
> of other authorized users. As a result, many domain owners who use shared
> MTAs (such as myself) use ?include:yyy.isp.net (or other mechanisms as
> appropriate) to avoid the risk of being victimized by cross-customer forgery
> on the shared MTA. These types of messages are very unlikely to be
> forgeries, but don't get a PASS because one can't be sure.
I am not sure I understand your point, suppose you have control
over your domain, you can add your SPF with an include to
your ISP (yyy.isp.net), if you are entitled to use ISP E-mail
server you should come up within the IP SPF list, not as
?NEUTRAL (so everybody should be happy), what is the point I am
missing?

A bientot
--
==========================================================================
Jean-Marc Pigeon Internet: Jean-Marc.Pigeon [at] safe
SAFE Inc. Phone: (514) 493-4280 Fax: (514) 493-1946
REGULUS, a real time accounting/billing package for ISP
REGULUS' Home base <"http://www.regulus.safe.ca">
==========================================================================

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-deployment [at] v2

spf2 at kitterman

Oct 25, 2004, 1:13 PM

Post #9 of 9 (4018 views)
Permalink

RE: the "?all" rationnal [In reply to]

>-----Original Message-----
>From: owner-spf-deployment [at] v2
>[mailto:owner-spf-deployment [at] v2]On Behalf Of Jean-Marc
>Pigeon
>Sent: Monday, October 25, 2004 4:05 PM
>To: spf-deployment [at] v2
>Subject: Re: [spf-deployment] the "?all" rationnal
>
>
>Bonjour spf2 [at] kitterman,
>
>> Messages that fall off the end of a record with ?all is one source of
>> NEUTRAL results. Another source is mail sent from a mail server
>not under
>> the administrative control of the domain owner (shared MTAs).
>Most of these
>> servers do not, today, have technical mechanisms in place to prevent
>> authorized users of the MTA from forging the mail from/return
>path address
>> of other authorized users. As a result, many domain owners who
>use shared
>> MTAs (such as myself) use ?include:yyy.isp.net (or other mechanisms as
>> appropriate) to avoid the risk of being victimized by
>cross-customer forgery
>> on the shared MTA. These types of messages are very unlikely to be
>> forgeries, but don't get a PASS because one can't be sure.
> I am not sure I understand your point, suppose you have control
> over your domain, you can add your SPF with an include to
> your ISP (yyy.isp.net), if you are entitled to use ISP E-mail
> server you should come up within the IP SPF list, not as
> ?NEUTRAL (so everybody should be happy), what is the point I am
> missing?
>
If you look at my spf record:

@ IN TXT "v=spf1 include:webmail.pair.com ?ip4:204.127.202.0/24
?ip4:204.127.198.0/24 ?ip4:216.148.227.0/24 ?a:relay.pair.com ?mx
?include:megapathdsl.net ?ptr:mail2web.com -all"

by design I tell SPF receivers to give a match a NEUTRAL result rather than
a PASS for most of my permitted senders. The reason I do this is that these
are all shared servers that I don't control (at my ISP or domain host).
There is nothing that prevents other users of those servers from forging my
mail address. Until mail services restrict mail from/return path to those
an individual customer is authorized to use, this will be a problem.

The reason I worry about this is that as automated domain blacklists are
developed, I do not want to have other users of these servers able to send
mail in my name that gets an SPF PASS result. See here,
http://spf.pobox.com/faq.html#churn, to see why I'm worried. Read the
section that starts, Here's an example of automated blacklisting in
action:...

Scott Kitterman

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-deployment [at] v2

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads