Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SPF: Discuss

advice wrong, or is it?

 

 

First page Previous page 1 2 Next page Last page  View All SPF discuss RSS feed   Index | Next | Previous | View Threaded


alex at ergens

Dec 20, 2007, 6:53 PM

Post #1 of 50 (5635 views)
Permalink
advice wrong, or is it?

Hi,

Would anyone know why google would say the following?

<quote class="wrong">Publishing an SPF record that lacks include:aspmx.googlemail.com or specifying -all instead of ~all may result in delivery problems.</quote>

Note: they say "~all" is good, "-all" is not.


I found this here:
http://www.google.com/support/a/bin/answer.py?hl=en&answer=33786

cheers
Alex

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78293702-b91382
Powered by Listbox: http://www.listbox.com


scott at kitterman

Dec 20, 2007, 7:23 PM

Post #2 of 50 (5560 views)
Permalink
Re: advice wrong, or is it? [In reply to]

On Thursday 20 December 2007 21:53, Alex van den Bogaerdt wrote:
> Hi,
>
> Would anyone know why google would say the following?
>
> <quote class="wrong">Publishing an SPF record that lacks
> include:aspmx.googlemail.com or specifying -all instead of ~all may result
> in delivery problems.</quote>
>
> Note: they say "~all" is good, "-all" is not.
>
>
> I found this here:
> http://www.google.com/support/a/bin/answer.py?hl=en&answer=33786
>
It depends on what your goal is. If you want to deter spammers from using
your domains, then -all is a good idea.

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78297191-4365a3
Powered by Listbox: http://www.listbox.com


alex at ergens

Dec 20, 2007, 7:27 PM

Post #3 of 50 (5555 views)
Permalink
Re: advice wrong, or is it? [In reply to]

On Thu, Dec 20, 2007 at 10:23:23PM -0500, Scott Kitterman wrote:

> > Note: they say "~all" is good, "-all" is not.
> >
> >
> > I found this here:
> > http://www.google.com/support/a/bin/answer.py?hl=en&answer=33786
> >
> It depends on what your goal is. If you want to deter spammers from using
> your domains, then -all is a good idea.

OK, now please explain why someone would want to use ~all as google
suggests? Yeah, sure, while testing it is OK, but thereafter ?

cheers
Alex

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78298443-d6b9ad
Powered by Listbox: http://www.listbox.com


dwmw2 at infradead

Dec 21, 2007, 1:07 AM

Post #4 of 50 (5553 views)
Permalink
Re: advice wrong, or is it? [In reply to]

On Fri, 2007-12-21 at 03:53 +0100, Alex van den Bogaerdt wrote:
> Would anyone know why google would say the following?
>
> <quote class="wrong">Publishing an SPF record that lacks
> include:aspmx.googlemail.com or specifying -all instead of ~all may
> result in delivery problems.</quote>
>
> Note: they say "~all" is good, "-all" is not.

They would say it because they believe, like many others, that the
fundamental principle on which SPF is based -- that forwarding does not
happen -- is completely wrong. And thus that publishing a '-all' record
invites people to throw away genuine mail. For the normal definition of
'genuine', that is, not the SPF NewSpeak definition.

--
dwmw2

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78326484-402310
Powered by Listbox: http://www.listbox.com


peter at bowyer

Dec 21, 2007, 2:04 AM

Post #5 of 50 (5547 views)
Permalink
Re: advice wrong, or is it? [In reply to]

On 21/12/2007, Alex van den Bogaerdt <alex [at] ergens> wrote:
> On Thu, Dec 20, 2007 at 10:23:23PM -0500, Scott Kitterman wrote:
>
> > > Note: they say "~all" is good, "-all" is not.
> > >
> > >
> > > I found this here:
> > > http://www.google.com/support/a/bin/answer.py?hl=en&answer=33786
> > >
> > It depends on what your goal is. If you want to deter spammers from using
> > your domains, then -all is a good idea.
>
> OK, now please explain why someone would want to use ~all as google
> suggests? Yeah, sure, while testing it is OK, but thereafter ?

Probably because adopters of Google's SAAS email service typically do
so gradually rather than 'big-bang', and during transition (or perhaps
even permanently) still send email from their 'legacy' systems as well
as from Gmail. They'll have a history of support tickets around this,
which will have led to the ~all advice.

Peter


--
Peter Bowyer
Email: peter [at] bowyer

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78331002-94c51a
Powered by Listbox: http://www.listbox.com


alex at ergens

Dec 21, 2007, 5:53 AM

Post #6 of 50 (5562 views)
Permalink
Re: advice wrong, or is it? [In reply to]

On Fri, Dec 21, 2007 at 09:07:25AM +0000, David Woodhouse wrote:
>
> On Fri, 2007-12-21 at 03:53 +0100, Alex van den Bogaerdt wrote:
> > Would anyone know why google would say the following?
> >
> > <quote class="wrong">Publishing an SPF record that lacks
> > include:aspmx.googlemail.com or specifying -all instead of ~all may
> > result in delivery problems.</quote>
> >
> > Note: they say "~all" is good, "-all" is not.
>
> They would say it because they believe, like many others, that the
> fundamental principle on which SPF is based -- that forwarding does not
> happen -- is completely wrong. And thus that publishing a '-all' record
> invites people to throw away genuine mail. For the normal definition of
> 'genuine', that is, not the SPF NewSpeak definition.

I'm not going to rehash that argument.

I know what you think of SPF, and you know what I think of you. What wonders me is why you keep spreading your FUD if you are so opposed to SPF.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78372650-210f0a
Powered by Listbox: http://www.listbox.com


alex at ergens

Dec 21, 2007, 6:10 AM

Post #7 of 50 (5540 views)
Permalink
Re: advice wrong, or is it? [In reply to]

On Fri, Dec 21, 2007 at 10:04:27AM +0000, Peter Bowyer wrote:

> > > > Note: they say "~all" is good, "-all" is not.
> > > >
> > > >
> > > > I found this here:
> > > > http://www.google.com/support/a/bin/answer.py?hl=en&answer=33786
> > > >
> > > It depends on what your goal is. If you want to deter spammers from using
> > > your domains, then -all is a good idea.
> >
> > OK, now please explain why someone would want to use ~all as google
> > suggests? Yeah, sure, while testing it is OK, but thereafter ?
>
> Probably because adopters of Google's SAAS email service typically do
> so gradually rather than 'big-bang', and during transition (or perhaps
> even permanently) still send email from their 'legacy' systems as well
> as from Gmail. They'll have a history of support tickets around this,
> which will have led to the ~all advice.

OK, I can agree to this for a part. However, when sending a message from
the wrong host, the amount of rejection may be lower but still significant.

What's worse:
* Two receivers, and you know both use SPF.
* You send a message to both
* One is rejected, the other is not
It is easy to think you need to look at something else than your SPF policy.


And, without further explanation, people who otherwise would have
chosen -all, not only willingly but also for a good reason, may now
have second thoughts just because google says so. They don't know
why what they think is wrong (it isn't!!!) but if google says so...


Perhaps that last point is the most important. There's enough FUD coming
from another source, we don't need google to chip in.

Alex

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78379254-e8b825
Powered by Listbox: http://www.listbox.com


julian at mehnle

Dec 21, 2007, 6:15 AM

Post #8 of 50 (5554 views)
Permalink
Re: advice wrong, or is it? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Woodhouse wrote:
> They would say it because they believe, like many others, that the
> fundamental principle on which SPF is based -- that forwarding does not
> happen -- is completely wrong. And thus that publishing a '-all' record
> invites people to throw away genuine mail. For the normal definition of
> 'genuine', that is, not the SPF NewSpeak definition.

Yes, SPF is all about clearly redefining the meaning of the SMTP envelope
sender from the fuzzy mess that it is in RFCs 821 and 2821, for any
domain that has an SPF record.

What you don't seem to get is that SPF is an opt-in system. If YOU don't
want YOUR mail to be subject to that clear redefinition, don't publish an
SPF record for YOUR domain. It's that simple.

For the rest of us, the benefit of SPF by far outweighs the (believe it or
not) ever so small forwarding problem, or we wouldn't be using it.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHa8qWwL7PKlBZWjsRAhexAKDzS2X0UUqUDClfKpR4mAgNOdpP9QCgm0pd
B1T6TlgXn4sm+FeysK0/EPY=
=ORhe
-----END PGP SIGNATURE-----

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78380201-67e269
Powered by Listbox: http://www.listbox.com


Bill.Adragna at mccmh

Dec 21, 2007, 6:22 AM

Post #9 of 50 (5548 views)
Permalink
Re: advice wrong, or is it? [In reply to]

What is FUD?

Alex van den Bogaerdt wrote:
On Fri, Dec 21, 2007 at 10:04:27AM +0000, Peter Bowyer wrote:
Note: they say "~all" is good, "-all" is not. I found this here: http://www.google.com/support/a/bin/answer.py?hl=en&answer=33786"]http://www.google.com/support/a/bin/answer.py?hl=en&answer=33786
It depends on what your goal is. If you want to deter spammers from using your domains, then -all is a good idea.
OK, now please explain why someone would want to use ~all as google suggests? Yeah, sure, while testing it is OK, but thereafter ?
Probably because adopters of Google's SAAS email service typically do so gradually rather than 'big-bang', and during transition (or perhaps even permanently) still send email from their 'legacy' systems as well as from Gmail. They'll have a history of support tickets around this, which will have led to the ~all advice.
OK, I can agree to this for a part. However, when sending a message from the wrong host, the amount of rejection may be lower but still significant. What's worse: * Two receivers, and you know both use SPF. * You send a message to both * One is rejected, the other is not It is easy to think you need to look at something else than your SPF policy. And, without further explanation, people who otherwise would have chosen -all, not only willingly but also for a good reason, may now have second thoughts just because google says so. They don't know why what they think is wrong (it isn't!!!) but if google says so... Perhaps that last point is the most important. There's enough FUD coming from another source, we don't need google to chip in. Alex ------------------------------------------- Sender Policy Framework: http://www.openspf.org"]http://www.openspf.org Archives: http://v2.listbox.com/member/archive/735/=now"]http://v2.listbox.com/member/archive/735/=now RSS Feed: http://v2.listbox.com/member/archive/rss/735/"]http://v2.listbox.com/member/archive/rss/735/ Modify Your Subscription: http://v2.listbox.com/member/?&"]http://v2.listbox.com/member/?& Powered by Listbox: http://www.listbox.com"]http://www.listbox.com



Sender Policy Framework: http://www.openspf.org"]http://www.openspf.org http://v2.listbox.com/member/archive/735/=now"]Archives http://v2.listbox.com/member/archive/rss/735/"] | http://v2.listbox.com/member/?member_id=1311532&id_secret=78382217-ddff71"]Modify Your Subscriptionhttp://www.listbox.com"]
Attachments: Bill_Adragna.vcf (0.25 KB)


julian at mehnle

Dec 21, 2007, 6:23 AM

Post #10 of 50 (5546 views)
Permalink
Re: advice wrong, or is it? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex van den Bogaerdt wrote:
> Would anyone know why google would say the following?
>
> <quote class="wrong">Publishing an SPF record that lacks
> include:aspmx.googlemail.com or specifying -all instead of ~all may
> result in delivery problems.</quote>
>
> Note: they say "~all" is good, "-all" is not.
>
> I found this here:
> http://www.google.com/support/a/bin/answer.py?hl=en&answer=33786

Interesting. I understand why they advise the inclusion of the
"aspmx.googlemail.com" SPF policy (I applaud Google for providing it!),
but recommending "~all" over "-all" is a bad idea. We actually need
domains to switch to "-all" (and receivers to whitelist whatever few
forwarders they may have).

What really makes me wonder, though, is this wording from the above URL:

| [SPF] records allow domain owners to specify which hosts are permitted
| to send email on behalf of their domains, making it hard to forge From:
| addresses.

There's no way to protect the "From:" address via SPF, not even via Sender
ID / PRA.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHa8xQwL7PKlBZWjsRAn7HAKC7G4Dnag24xuqJaVVuqhnIM6xBJACfcUMy
QsKup1QHr74krX8PCuejWM0=
=+nTM
-----END PGP SIGNATURE-----

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78382579-6af4a4
Powered by Listbox: http://www.listbox.com


iane at sussex

Dec 21, 2007, 6:32 AM

Post #11 of 50 (5571 views)
Permalink
Re: advice wrong, or is it? [In reply to]

--On 21 December 2007 09:22:05 -0500 Bill Adragna <Bill.Adragna [at] mccmh>
wrote:

>
> What is FUD?
>
> Alex van den Bogaerdt wrote:
>
>

"Fear, Uncertainty and Doubt" Spreading FUD is a good way to prevent
something from happening, without giving a really good reason.



--
Ian Eiloart
IT Services, University of Sussex
x3148

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78385309-4a07d9
Powered by Listbox: http://www.listbox.com


julian at mehnle

Dec 21, 2007, 6:35 AM

Post #12 of 50 (5550 views)
Permalink
Re: advice wrong, or is it? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bill Adragna wrote:
> What is FUD?

Fear, Uncertainty, Doubt.

http://en.wikipedia.org/wiki/Fear%2C_uncertainty_and_doubt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHa884wL7PKlBZWjsRAkHjAJ9sgJugEVkgCoGJNtadSW0+2janhACfYUMj
z5nUKxHRlN3xQmcHIdoyQSg=
=uxmT
-----END PGP SIGNATURE-----

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78387080-4e25c7
Powered by Listbox: http://www.listbox.com


dtaylor at vocalabs

Dec 21, 2007, 8:42 AM

Post #13 of 50 (5542 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

Julian Mehnle wrote:
> David Woodhouse wrote:
>> They would say it because they believe, like many others, that the
>> fundamental principle on which SPF is based -- that forwarding does not
>> happen -- is completely wrong. And thus that publishing a '-all' record
>> invites people to throw away genuine mail. For the normal definition of
>> 'genuine', that is, not the SPF NewSpeak definition.
>
> Yes, SPF is all about clearly redefining the meaning of the SMTP envelope
> sender from the fuzzy mess that it is in RFCs 821 and 2821, for any
> domain that has an SPF record.
>
> What you don't seem to get is that SPF is an opt-in system. If YOU don't
> want YOUR mail to be subject to that clear redefinition, don't publish an
> SPF record for YOUR domain. It's that simple.
>
> For the rest of us, the benefit of SPF by far outweighs the (believe it or
> not) ever so small forwarding problem, or we wouldn't be using it.
>
Oh so agreed.
For me the "forwarding problem" was that I had to stop forwarding to get
*any*
spam filtering to work reliably.

That and that every other decent anti-spam technical test has a higher
false positive rate than SPF. I hate some mail admins so much right now
for not getting their basic DNS configuration right. It's not like it's
even difficult, you just have to care if your users' mail gets
delivered. Grrrrr.

--
Daniel Taylor VP Operations Vocal Laboratories, Inc.
dtaylor [at] vocalabs http://www.vocalabs.com/ (952)941-6580x203

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78465121-ef75d3
Powered by Listbox: http://www.listbox.com
Attachments: signature.asc (0.25 KB)


dwmw2 at infradead

Dec 21, 2007, 11:02 AM

Post #14 of 50 (5554 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

On Fri, 2007-12-21 at 14:15 +0000, Julian Mehnle wrote:
> What you don't seem to get is that SPF is an opt-in system. If YOU don't
> want YOUR mail to be subject to that clear redefinition, don't publish an
> SPF record for YOUR domain. It's that simple.

And if you DO want your mail to be subject to that redefinition, don't
send it by SMTP to mail hosts which are only going to behave like they
have for more than the last two decades, and violate your bogus
assumptions.

--
dwmw2

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78559442-ee503c
Powered by Listbox: http://www.listbox.com


dtaylor at vocalabs

Dec 21, 2007, 12:00 PM

Post #15 of 50 (5550 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

David Woodhouse wrote:
> On Fri, 2007-12-21 at 14:15 +0000, Julian Mehnle wrote:
>> What you don't seem to get is that SPF is an opt-in system. If YOU don't
>> want YOUR mail to be subject to that clear redefinition, don't publish an
>> SPF record for YOUR domain. It's that simple.
>
> And if you DO want your mail to be subject to that redefinition, don't
> send it by SMTP to mail hosts which are only going to behave like they
> have for more than the last two decades, and violate your bogus
> assumptions.
>
Forwarding my e-mail without my permission or accounting for my SPF
record to a strict SPF checking host will result in a delivery failure.
Congratulations, you just denied yourself my e-mail.

Yay you.

--
Daniel Taylor VP Operations Vocal Laboratories, Inc.
dtaylor [at] vocalabs http://www.vocalabs.com/ (952)941-6580x203

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78575568-897ce5
Powered by Listbox: http://www.listbox.com
Attachments: signature.asc (0.25 KB)


WebMaster at Commerco

Dec 21, 2007, 12:16 PM

Post #16 of 50 (5552 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

At 01:00 PM 12/21/2007, you wrote:


>David Woodhouse wrote:
> > On Fri, 2007-12-21 at 14:15 +0000, Julian Mehnle wrote:
> >> What you don't seem to get is that SPF is an opt-in system. If YOU don't
> >> want YOUR mail to be subject to that clear redefinition, don't publish an
> >> SPF record for YOUR domain. It's that simple.
> >
> > And if you DO want your mail to be subject to that redefinition, don't
> > send it by SMTP to mail hosts which are only going to behave like they
> > have for more than the last two decades, and violate your bogus
> > assumptions.
> >
>Forwarding my e-mail without my permission or accounting for my SPF
>record to a strict SPF checking host will result in a delivery failure.
>Congratulations, you just denied yourself my e-mail.
>
>Yay you.
>
>--
>Daniel Taylor VP Operations Vocal Laboratories, Inc.
>dtaylor [at] vocalabs http://www.vocalabs.com/ (952)941-6580x203

Now I am confused (not all that unusual).

If I forward an email from you (with or without your permission)
while claiming to be me and passing that email through my strict SPF
host, I can do that just fine... I think, mostly because I'm not
claiming to be you, but rather forwarding along a message from you
(in the DATA section of the SMTP dialogue) with my information in the
header (MAIL FROM dialogue).

Now if someone is forwarding my email, claiming to be me, I don't
care for that behavior, thus I have an SPF record in an effort to
prevent that. Where am I going wrong?

AlanM
The Commerce Company
TZ.Com - Travel Zippy


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78585433-607e31
Powered by Listbox: http://www.listbox.com


dwmw2 at infradead

Dec 21, 2007, 12:26 PM

Post #17 of 50 (5568 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

On Fri, 2007-12-21 at 13:16 -0700, WebMaster [at] Commerco wrote:
>
> Now if someone is forwarding my email, claiming to be me, I don't
> care for that behavior, thus I have an SPF record in an effort to
> prevent that. Where am I going wrong?

You're not. Just don't try sending mail 'from you' through any existing
SMTP systems out there. Common practice for decades would be for them to
send it on without changing the reverse-path. To expect otherwise would
but extremely naïve.

You're welcome to invent your own email system. Just don't whine that
you didn't give your 'permission' when you send your mail through SMTP
and mail servers behave the way they always have.

--
dwmw2

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78587261-d8842c
Powered by Listbox: http://www.listbox.com


julian at mehnle

Dec 21, 2007, 12:30 PM

Post #18 of 50 (5547 views)
Permalink
Re: advice wrong, or is it? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

WebMaster [at] commerco wrote:
> Now I am confused (not all that unusual).
>
> If I forward an email from you (with or without your permission)
> while claiming to be me and passing that email through my strict SPF
> host, I can do that just fine... I think, mostly because I'm not
> claiming to be you, but rather forwarding along a message from you
> (in the DATA section of the SMTP dialogue) with my information in the
> header (MAIL FROM dialogue).

(That's usually called the "envelope", not "header". The "header" is part
of the actual message text, which also contains the "body". You probably
knew that and merely confused the term.)

> Now if someone is forwarding my email, claiming to be me, I don't
> care for that behavior, thus I have an SPF record in an effort to
> prevent that. Where am I going wrong?

Who says you're going wrong?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHbCJ5wL7PKlBZWjsRAry9AKDLqvPOZuftoXjN55iCnubq8EVXWACfbqRp
et2wd3NYJeRb1iBztHocmiI=
=svvv
-----END PGP SIGNATURE-----

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78588755-ddddaa
Powered by Listbox: http://www.listbox.com


dtaylor at vocalabs

Dec 21, 2007, 12:49 PM

Post #19 of 50 (5559 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

WebMaster [at] Commerco wrote:
> At 01:00 PM 12/21/2007, you wrote:
>
>
>> David Woodhouse wrote:
>> > On Fri, 2007-12-21 at 14:15 +0000, Julian Mehnle wrote:
>> >> What you don't seem to get is that SPF is an opt-in system. If YOU
>> don't
>> >> want YOUR mail to be subject to that clear redefinition, don't
>> publish an
>> >> SPF record for YOUR domain. It's that simple.
>> >
>> > And if you DO want your mail to be subject to that redefinition, don't
>> > send it by SMTP to mail hosts which are only going to behave like they
>> > have for more than the last two decades, and violate your bogus
>> > assumptions.
>> >
>> Forwarding my e-mail without my permission or accounting for my SPF
>> record to a strict SPF checking host will result in a delivery failure.
>> Congratulations, you just denied yourself my e-mail.
>>
>> Yay you.
>>

> Now I am confused (not all that unusual).
>
> If I forward an email from you (with or without your permission) while
> claiming to be me and passing that email through my strict SPF host, I
> can do that just fine... I think, mostly because I'm not claiming to be
> you, but rather forwarding along a message from you (in the DATA section
> of the SMTP dialogue) with my information in the header (MAIL FROM
> dialogue).
>
> Now if someone is forwarding my email, claiming to be me, I don't care
> for that behavior, thus I have an SPF record in an effort to prevent
> that. Where am I going wrong?
>
You have a point, permission is irrelevant.

If you send e-mail from your system with a MAIL FROM claiming to be me,
however it got that way, and your system isn't included in my SPF
record, AND you are sending it to a system that rejects mail based on
SPF failures it will not arrive at the addressee.

Since old-style forwarding systems do not change the MAIL FROM to
reflect their inclusion in the mail path that is one way a system could
be sending mail claiming to be "MAIL FROM" me, which is one leg of the
above chain of events. Note that this may be a perfectly legitimate
message, but it breaks the chain of accountability and is
indistinguishable from a forged e-mail without more costly measures such
as digital signatures (and this message is an example of why digital
signatures are hardly foolproof themselves...)

For some reason that I do not clearly understand this offends Mr.
Woodhouse's delicate sensibilities, so he pops up here to complain about
it on an irregular basis.


--
Daniel Taylor VP Operations Vocal Laboratories, Inc.
dtaylor [at] vocalabs http://www.vocalabs.com/ (952)941-6580x203

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78594745-c67d61
Powered by Listbox: http://www.listbox.com
Attachments: signature.asc (0.25 KB)


dwmw2 at infradead

Dec 21, 2007, 12:55 PM

Post #20 of 50 (5545 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

On Fri, 2007-12-21 at 14:49 -0600, Daniel Taylor wrote:
> For some reason that I do not clearly understand this offends Mr.
> Woodhouse's delicate sensibilities, so he pops up here to complain
> about it on an irregular basis.

I was just answering Alex's rather stupid question. He asked why anyone
would recommend using ~all rather than -all, as if he'd forgotten the
fundamental brokenness of SPF. I was just reminding him.

--
dwmw2

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78596786-052b25
Powered by Listbox: http://www.listbox.com


alex at ergens

Dec 21, 2007, 1:07 PM

Post #21 of 50 (5548 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

On Fri, Dec 21, 2007 at 08:55:22PM +0000, David Woodhouse wrote:

> I was just answering Alex's rather stupid question. He asked why anyone
> would recommend using ~all rather than -all, as if he'd forgotten the
> fundamental brokenness of SPF. I was just reminding him.

Questions aren't stupid. Some answers are, as are trolls such as yourself.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78599974-c471f7
Powered by Listbox: http://www.listbox.com


alex at ergens

Dec 21, 2007, 1:15 PM

Post #22 of 50 (5548 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

On Fri, Dec 21, 2007 at 01:16:26PM -0700, WebMaster [at] Commerco wrote:

> Now I am confused (not all that unusual).

You aren't. The troll is.

> If I forward an email from you (with or without your permission)
> while claiming to be me and passing that email through my strict SPF
> host, I can do that just fine... I think, mostly because I'm not
> claiming to be you, but rather forwarding along a message from you
> (in the DATA section of the SMTP dialogue) with my information in the
> header (MAIL FROM dialogue).
>
> Now if someone is forwarding my email, claiming to be me, I don't
> care for that behavior, thus I have an SPF record in an effort to
> prevent that. Where am I going wrong?

There is absolutely no forwarding problem. The person receiving a
message (note: receiving!) is resending the message using someone
else's email address. He's doing the damage but expects others to
clean up after him if things fail.

What's worse, he himself is sending to an account which *also* opted
in to SPF. So the troll *is* using SPF. Else there wouldn't be a
so called problem.

Alex

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78602105-4c0f08
Powered by Listbox: http://www.listbox.com


dwmw2 at infradead

Dec 21, 2007, 1:19 PM

Post #23 of 50 (5564 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

On Fri, 2007-12-21 at 22:07 +0100, Alex van den Bogaerdt wrote:
> On Fri, Dec 21, 2007 at 08:55:22PM +0000, David Woodhouse wrote:
>
> > I was just answering Alex's rather stupid question. He asked why anyone
> > would recommend using ~all rather than -all, as if he'd forgotten the
> > fundamental brokenness of SPF. I was just reminding him.
>
> Questions aren't stupid. Some answers are, as are trolls such as yourself.

It was a very strange question. You seemed to have forgotten that some
people advocate against SPF because of the way it tries to retroactively
declare 20 years of SMTP behaviour as 'wrong', and the fact that it
causes genuine¹ mail to be thrown away.

You asked why someone would advocate against using -all, and I reminded
you. It was a perfectly reasonable answer, and there's no need for
childish attacks in reply.

--
dwmw2

¹ Again, I feel I have to point out that I mean the normal meaning of the
word 'genuine', not the SPF NewSpeak meaning.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78604488-6a6518
Powered by Listbox: http://www.listbox.com


dwmw2 at infradead

Dec 21, 2007, 1:23 PM

Post #24 of 50 (5550 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

On Fri, 2007-12-21 at 22:15 +0100, Alex van den Bogaerdt wrote:
> There is absolutely no forwarding problem. The person receiving a
> message (note: receiving!) is resending the message using someone
> else's email address. He's doing the damage but expects others to
> clean up after him if things fail.

This is how SMTP has worked since the early 1980s, and still works
today. If you choose to believe that by continuing to be compatible with
how email has worked for over two decades I am 'doing the damage', then
so be it.

If you use -all, there are situations in which your mail will be thrown
away. If you reject for failure, there are situations in which you will
be throwing away genuine mail, forwarded through normal, SMTP-compatible
systems.

It's very disingenuous of you, Alex, to tell people otherwise.

> What's worse, he himself is sending to an account which *also* opted
> in to SPF. So the troll *is* using SPF. Else there wouldn't be a
> so called problem.

You seem very confused, or very dishonest. I am not using SPF at all.

--
dwmw2

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78605713-b4dfe8
Powered by Listbox: http://www.listbox.com


alex at ergens

Dec 21, 2007, 1:29 PM

Post #25 of 50 (5551 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

On Fri, Dec 21, 2007 at 09:23:04PM +0000, David Woodhouse wrote:

> You seem very confused, or very dishonest. I am not using SPF at all.

Then there is no problem for you.

And speaking of dishonesty, spreading FUD is.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78606967-be4f66
Powered by Listbox: http://www.listbox.com

First page Previous page 1 2 Next page Last page  View All SPF discuss RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.