Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SPF: Discuss

advice wrong, or is it?

 

 

First page Previous page 1 2 Next page Last page  View All SPF discuss RSS feed   Index | Next | Previous | View Threaded


Bill.Adragna at mccmh

Dec 21, 2007, 1:33 PM

Post #26 of 50 (3830 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

I've been following this for years, and somebody tell me,

what will prevent the spammers from getting a valid SPF record for themselves, thus blowing up the whole point of the SPF record?


David Woodhouse wrote:
On Fri, 2007-12-21 at 22:15 +0100, Alex van den Bogaerdt wrote:
There is absolutely no forwarding problem. The person receiving a message (note: receiving!) is resending the message using someone else's email address. He's doing the damage but expects others to clean up after him if things fail.
This is how SMTP has worked since the early 1980s, and still works today. If you choose to believe that by continuing to be compatible with how email has worked for over two decades I am 'doing the damage', then so be it. If you use -all, there are situations in which your mail will be thrown away. If you reject for failure, there are situations in which you will be throwing away genuine mail, forwarded through normal, SMTP-compatible systems. It's very disingenuous of you, Alex, to tell people otherwise.
What's worse, he himself is sending to an account which *also* opted in to SPF. So the troll *is* using SPF. Else there wouldn't be a so called problem.
You seem very confused, or very dishonest. I am not using SPF at all.



Sender Policy Framework: http://www.openspf.org"]http://www.openspf.org http://v2.listbox.com/member/archive/735/=now"]Archives http://v2.listbox.com/member/archive/rss/735/"] | http://v2.listbox.com/member/?member_id=1311532&id_secret=78611720-e0174e"]Modify Your Subscriptionhttp://www.listbox.com"]
Attachments: Bill_Adragna.vcf (0.25 KB)


gcerullo at pixelpointstudios

Dec 21, 2007, 1:40 PM

Post #27 of 50 (3827 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

On 21-Dec-07, at 4:33 PM, Bill Adragna wrote:

> I've been following this for years, and somebody tell me,
>
> what will prevent the spammers from getting a valid SPF record for
> themselves, thus blowing up the whole point of the SPF record?

That is exactly what we want them to do so we can identify them and
effectively blacklist them.


--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON M3M 1W6

416-247-7740

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78620290-5b28f4
Powered by Listbox: http://www.listbox.com


dwmw2 at infradead

Dec 21, 2007, 1:44 PM

Post #28 of 50 (3825 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

On Fri, 2007-12-21 at 16:33 -0500, Bill Adragna wrote:
> what will prevent the spammers from getting a valid SPF record for
> themselves, thus blowing up the whole point of the SPF record?

Absolutely nothing. See the 'rapidly adopted SPF' link from the third item
under 'Problems with SPF' in http://david.woodhou.se/why-not-spf.html
Admittedly, it's rather old information now, so I don't know if the
statistics are still similar -- but certainly the principle hasn't
changed.

I don't really expect to persuade Alex. He usually just degenerates into
insults without really managing to come up with any coherent technical
response. But if just one or two _normal_ people out there take notice
and start to think for themselves, that'll be worth it.

I don't even really need to _persuade_ anyone. Just making them actually
apply a modicum of common sense for themselves would usually suffice.
Just take a look at RFC2821 and the way that machines out there
_actually_ behave, and think about it for a while. And you come to the
same conclusion I did. Most people do, anyway.

SPF is fundamentally incompatible with SMTP email as people have been
using it for decades. Use it at your own risk.

--
dwmw2

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78625791-056f94
Powered by Listbox: http://www.listbox.com


julian at mehnle

Dec 21, 2007, 1:49 PM

Post #29 of 50 (3834 views)
Permalink
Re: advice wrong, or is it? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bill Adragna wrote:
> I've been following this for years, and somebody tell me,
> what will prevent the spammers from getting a valid SPF record for
> themselves, thus blowing up the whole point of the SPF record?Ā 

There seems to be a misunderstanding. The point of SPF is not to stop
spam but to stop sender address forgery. If spammers set up SPF records
for their own domains (which is of course what they have been doing for
years), then we can authenticate mails from their domains with confidence
and blacklist their domains. All the better.

If you want to stop spam, please try SpamAssassin or some other anti-spam
solution.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHbDT7wL7PKlBZWjsRAvjdAJ9/m7Bd2dCuADw6SJtqWtSiyYcROACeNt8Z
+v7dYdQrpe1xC3y99g/hWKQ=
=f4ot
-----END PGP SIGNATURE-----

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78630591-a93697
Powered by Listbox: http://www.listbox.com


julian at mehnle

Dec 21, 2007, 1:50 PM

Post #30 of 50 (3822 views)
Permalink
Re: advice wrong, or is it? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Woodhouse wrote:
> This is how SMTP has worked since the early 1980s, and still works
> today. If you choose to believe that by continuing to be compatible
> with how email has worked for over two decades I am 'doing the damage',
> then so be it.

No, the actual damage is being inflicted by those who spoof others' e-mail
addresses with malicious intent (spammers, malware, etc.). However,
innocent bystanders insisting that all this legacy "functionality" of
SMTP be retained forever is now causing those innocent bystanders to
become part of the problem.

> If you use -all, there are situations in which your mail will be thrown
> away. If you reject for failure, there are situations in which you will
> be throwing away genuine mail, forwarded through normal, SMTP-compatible
> systems.

Right. However the magnitude of this (1) isn't a significant problem for
many people and (2) is outweighed by the benefit (no more misdirected
bounces, etc.) almost all the time.

This will have been my last comment on this topic for at least another
half a year. This horse has been beaten to death too many times already.
*sigh*

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHbDUiwL7PKlBZWjsRAkdyAKDswNYEhy7XB0+UfDjKF3EZKIU1MwCeOQW8
6gBsM59F5fhNbHSiQ+15y8c=
=eICc
-----END PGP SIGNATURE-----

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78628449-41475e
Powered by Listbox: http://www.listbox.com


gcerullo at pixelpointstudios

Dec 21, 2007, 1:56 PM

Post #31 of 50 (3834 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

On 21-Dec-07, at 4:23 PM, David Woodhouse wrote:

> This is how SMTP has worked since the early 1980s, and still works
> today. If you choose to believe that by continuing to be compatible
> with
> how email has worked for over two decades I am 'doing the damage',
> then
> so be it.
>
> If you use -all, there are situations in which your mail will be
> thrown
> away. If you reject for failure, there are situations in which you
> will
> be throwing away genuine mail, forwarded through normal, SMTP-
> compatible
> systems.

David,

You keep harping on the fact that SMTP has been working the way it
has for 20 years and to change any facet of it that has the potential
to throw away what is allegedly good email should be done away with.

The fact of the matter is that when SMTP was developed 20 or so years
ago we didn't have the problems of forgery that we do today. We also
didn't have the problem of malware and junk mail either. Do you
advocate that the inclusion of tools like Spamassassin and ClamAV in
the email process should be discarded as well?

On my system, that does check for SPF, Spamassassin and ClamAV are
responsible for more ligitimate email be discarded than SPF is. As a
matter of fact SPF has never rejected a legitimate email, ever!

David, I'm afraid your living in denial if you think that any changes
in the SMTP protocol that requires a change in our own behaviour and
expectations are unacceptable and not to be tolerated. You have a
choice. You can either change your expectations and behaviour or
accept the fact that your email will soon be accepted by fewer and
fewer email servers. Since that's the case, you may as well give up
now and find yourself a cave in that desert to crawl into now.

--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON M3M 1W6

416-247-7740

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78636707-7ae317
Powered by Listbox: http://www.listbox.com


alex at ergens

Dec 21, 2007, 2:07 PM

Post #32 of 50 (3818 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

On Fri, Dec 21, 2007 at 09:44:10PM +0000, David Woodhouse wrote:
>
> On Fri, 2007-12-21 at 16:33 -0500, Bill Adragna wrote:
> > what will prevent the spammers from getting a valid SPF record for
> > themselves, thus blowing up the whole point of the SPF record?
>
> Absolutely nothing. See the 'rapidly adopted SPF' link from the third item
> under 'Problems with SPF' in http://david.woodhou.se/why-not-spf.html
> Admittedly, it's rather old information now, so I don't know if the
> statistics are still similar -- but certainly the principle hasn't
> changed.
>
> I don't really expect to persuade Alex. He usually just degenerates into
> insults without really managing to come up with any coherent technical
> response.

Normal people are reading your messages to, david, and will
instantly recognize the insult in the following line:

> But if just one or two _normal_ people out there take notice
> and start to think for themselves, that'll be worth it.

Normal people have the right to make a choice. Either they do not
want *their* email, be it as a originator or as a forwarder, to be
subject to SPF, or they do.

When they do not want to use SPF, then they will not use SPF. In
that case, SPF does not bother them, at all.

But if they do choose to opt-in to SPF, they do so by choice and
are fully entitled to do so.

Who are you to think those people are wrong? And what are you doing
here on this list, trying to mislead those people?

> SPF is fundamentally incompatible with SMTP email as people have been
> using it for decades. Use it at your own risk.

Ah... so now you do agree when people use it.

Still, the question remains: why on earth are you on a Don Quichotte
like cruisade against SPF if you are not using it yourself. What is it
that you don't understand and get bitten by.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78646479-bde184
Powered by Listbox: http://www.listbox.com


dtaylor at vocalabs

Dec 21, 2007, 2:21 PM

Post #33 of 50 (3835 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex van den Bogaerdt wrote:
>> SPF is fundamentally incompatible with SMTP email as people have been
>> using it for decades. Use it at your own risk.
>
> Ah... so now you do agree when people use it.
>
> Still, the question remains: why on earth are you on a Don Quichotte
> like cruisade against SPF if you are not using it yourself. What is it
> that you don't understand and get bitten by.
>
Eh, there's one in every crowd.

Either SPF goes against his interests, or the mere thought of changing
e-mail to be less permissive than STD821/822 makes his skin crawl for
less rational reasons.

- --
Daniel Taylor VP Operations Vocal Laboratories, Inc.
dtaylor [at] vocalabs http://www.vocalabs.com/ (952)941-6580x203
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHbDxs8/QSptFdBtURAqdhAJ9O5TDqZ+BUOebRdm/83EKOhvz6lwCaA89Q
QiS3E2JM42fdH8jGHtbJSUw=
=FGnx
-----END PGP SIGNATURE-----

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78654418-59d4c7
Powered by Listbox: http://www.listbox.com


WebMaster at Commerco

Dec 21, 2007, 3:04 PM

Post #34 of 50 (3818 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

At 02:23 PM 12/21/2007, you wrote:

>On Fri, 2007-12-21 at 22:15 +0100, Alex van den Bogaerdt wrote:
> > There is absolutely no forwarding problem. The person receiving a
> > message (note: receiving!) is resending the message using someone
> > else's email address. He's doing the damage but expects others to
> > clean up after him if things fail.
>
>This is how SMTP has worked since the early 1980s, and still works
>today. If you choose to believe that by continuing to be compatible with
>how email has worked for over two decades I am 'doing the damage', then
>so be it.
>
>If you use -all, there are situations in which your mail will be thrown
>away. If you reject for failure, there are situations in which you will
>be throwing away genuine mail, forwarded through normal, SMTP-compatible
>systems.
>
>It's very disingenuous of you, Alex, to tell people otherwise.
>
> > What's worse, he himself is sending to an account which *also* opted
> > in to SPF. So the troll *is* using SPF. Else there wouldn't be a
> > so called problem.
>
>You seem very confused, or very dishonest. I am not using SPF at all.
>
>--
>dwmw2

I am even more confused. If I understood Mr. Woodhouse properly, he
originally painted a scenario where I think he said words to the
effect that by having a "-all" approach to one's SPF record, somehow
a message sent by Mr. Woodhouse could not be forwarded and that
receivers would somehow not receive his messages.

Yet, just above, Mr. Woodhouse says he doesn't use SPF at all. For
him then, nothing has changed and I fail to understand his argument.

For me, I've had SPF implemented since sometime around 2004 or so and
I implemented it with a "-all" approach without ever experiencing a
problem with lost messages.

I do, however, benefit from having an absolute assertion which I can
point to - if anyone ever get an email message from a domain under my
control that does not come from the outgoing SMTP servers I define
for the domain, then it is to be considered bogus. I want the
receiver to trash such a message prior to considering distributing it
and not send me a bounce back to me. Frankly, I'm happy with that
assumption and interpretation and the experience from doing this for
several years tells me that it does not break my ability to send or
receive email messages.

Now then, going back to check when I started with SPF, I saw a post
to this very list from Mr. Woodhouse, here is an interesting excerpt
from a message in late 2004.

"Until SRS is ubiquitous that's not strictly true. Throwing away the SPF
FAIL is _also_ hurting adoption. Every time someone complains that
forwarded email is bouncing, I get them to tell the _sender_ not to
publish '-all' and the _recipient_ not to obey it. It's too soon."

From this thread, I gather his opinion has not changed, despite the
huge numbers of SPF adopters these day. Even so, I find it more than
odd that he (as a non-adopter) spends so much time on the list for so
many years poking at something that clearly works for those who
actually *have* implemented SPF, it might be interesting to better
understand the history there.

I think that it was entirely because there was a perceived defect by
some in the way that SMTP has worked for over 20 years that SPF was
proposed. After all, just because something has a long history, does
not mean it cannot be improved upon or that it does not have some
fundamental defect that can be exploited by some once said defect is
discovered (read Joe Jobs). My first SMTP server (circa 1995) was so
brain damaged, that one could not even turn off the ability to relay
messages. In your view, Mr. Woodhouse, do you think I should be
maintaining that old open relay server because it followed the
standard? I hope not.

A high school physics teacher of mine from many years ago frequently
utter the words, "The dogs may bark, but the caravan moves on" when
class members groused about changes. Change happens, usually because
through change, certain problems identified along the way are
addressed by the change.

For me and my company, SPF works and it works well with the "-ALL"
and everything.

For others, it might not work so well - so be it - let them face
people spoofing their domain name identities, get bounces from all
over the place and generally face the misery that everyone did prior
to SPF - from the "working" SMTP standard to which Mr. Woodhouse
appears to feel so attached.

Getting back to the original point of the thread, why Google
apparently wants folks to specify "~all" rather than "-all", perhaps
in their case (because they offer a huge email service), they don't
wish to reveal all the possible outgoing SMTP servers to avoid some
type of attack on GMail. Personally, I think there are better ways
of handling such things even in huge scale email service environments.

Best,

AlanM
The Commerce Company
TZ.Com - Travel Zippy


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78677176-ad009f
Powered by Listbox: http://www.listbox.com


julian at mehnle

Dec 21, 2007, 5:04 PM

Post #35 of 50 (3824 views)
Permalink
Re: advice wrong, or is it? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

WebMaster [at] commerco wrote:
> Getting back to the original point of the thread, why Google
> apparently wants folks to specify "~all" rather than "-all", perhaps
> in their case (because they offer a huge email service), they don't
> wish to reveal all the possible outgoing SMTP servers to avoid some
> type of attack on GMail. Personally, I think there are better ways
> of handling such things even in huge scale email service environments.

An interesting theory of yours, but I think if that was their motivation,
they would have been bright enough to use an "exists:" mechanism to hide
their infrastructure. :-)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHbGKrwL7PKlBZWjsRAjLvAJ9JeTqhjgiVEhwrN9rtIvDS0QDefgCfQgmP
QQdgdpJgUFX6SfKg9XbauUs=
=ty87
-----END PGP SIGNATURE-----

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78732795-1ec8ea
Powered by Listbox: http://www.listbox.com


dmquigg-spf at yahoo

Dec 21, 2007, 5:34 PM

Post #36 of 50 (3823 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

At 01:04 AM 12/22/2007 +0000, you wrote:
>WebMaster [at] commerco wrote:
>> Getting back to the original point of the thread, why Google
>> apparently wants folks to specify "~all" rather than "-all", perhaps
>> in their case (because they offer a huge email service), they don't
>> wish to reveal all the possible outgoing SMTP servers to avoid some
>> type of attack on GMail. Personally, I think there are better ways
>> of handling such things even in huge scale email service environments.
>
>An interesting theory of yours, but I think if that was their motivation,
>they would have been bright enough to use an "exists:" mechanism to hide
>their infrastructure. :-)

Actually, I think they are planning to compete with M$ to see who has the biggest di.. I mean set of netblocks.
google.com
v=spf1 include:_netblocks.google.com ~all
64.18.0.0/20 4096
64.233.160.0/19 8192
66.102.0.0/20 4096
66.249.80.0/20 4096
72.14.192.0/18 16384
74.125.0.0/16 65536
207.126.144.0/20 4096
209.85.128.0/17 32768
216.239.32.0/19 8192
Totals: 9 147456

msn.com
v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.com include:spf-c.hotmail.com include:spf-d.hotmail.com include:_spf-ssg-a.microsoft.com ~all
Totals: 38 981536

The attack theory doesn't make sense. How would knowing the addresses of their outgoing servers aid an attacker?

Also, what idiot would be foolish enough to attack Google's outgoing servers? That would be like pissing at a guy with a fire hose. Can you imagine the counter-attack Google could mount if they really wanted to take down a few ISPs. I hear the Russians recently took down the entire country of Estonia.

-- Dave :>)


************************************************************ *
* David MacQuigg, PhD email: macquigg at open-mail.org * *
* President, Open-Mail dot org phone: USA 520-721-4583 * * *
* Postmaster, Box67 dot com * * *
* 9320 East Mikelyn Lane * * *
* http://purl.net/macquigg Tucson, Arizona 85710 *
************************************************************ *

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78737214-be84d2
Powered by Listbox: http://www.listbox.com


bill.adragna at mccmh

Dec 21, 2007, 5:52 PM

Post #37 of 50 (3832 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

But they will change their SPF record every day.... won't they?

Gino Cerullo wrote:
> On 21-Dec-07, at 4:33 PM, Bill Adragna wrote:
>
>> I've been following this for years, and somebody tell me,
>>
>> what will prevent the spammers from getting a valid SPF record for
>> themselves, thus blowing up the whole point of the SPF record?
>
> That is exactly what we want them to do so we can identify them and
> effectively blacklist them.
>
>
> --
> Gino Cerullo
>
> Pixel Point Studios
> 21 Chesham Drive
> Toronto, ON M3M 1W6
>
> 416-247-7740
>
> ------------------------------------------------------------------------
>
> Sender Policy Framework: http://www.openspf.org
>
> Archives <http://v2.listbox.com/member/archive/735/=now>
> <http://v2.listbox.com/member/archive/rss/735/> | Modify
> <http://v2.listbox.com/member/?&>
> Your Subscription [Powered by Listbox] <http://www.listbox.com>
>

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78739004-ea3509
Powered by Listbox: http://www.listbox.com


bill.adragna at mccmh

Dec 21, 2007, 5:55 PM

Post #38 of 50 (3830 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

I stop about 98 percent of our spam organizationally, the problem is
that the total numbers are going up, so the 2 percent that we DON'T stop
represents a bigger and bigger number....

Julian Mehnle wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Bill Adragna wrote:
>
>> I've been following this for years, and somebody tell me,
>> what will prevent the spammers from getting a valid SPF record for
>> themselves, thus blowing up the whole point of the SPF record?
>>
>
> There seems to be a misunderstanding. The point of SPF is not to stop
> spam but to stop sender address forgery. If spammers set up SPF records
> for their own domains (which is of course what they have been doing for
> years), then we can authenticate mails from their domains with confidence
> and blacklist their domains. All the better.
>
> If you want to stop spam, please try SpamAssassin or some other anti-spam
> solution.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFHbDT7wL7PKlBZWjsRAvjdAJ9/m7Bd2dCuADw6SJtqWtSiyYcROACeNt8Z
> +v7dYdQrpe1xC3y99g/hWKQ=
> =f4ot
> -----END PGP SIGNATURE-----
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org
> Archives: http://v2.listbox.com/member/archive/735/=now
> RSS Feed: http://v2.listbox.com/member/archive/rss/735/
> Modify Your Subscription: http://v2.listbox.com/member/?&
> Powered by Listbox: http://www.listbox.com
>

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78740239-9fc86c
Powered by Listbox: http://www.listbox.com


bill.adragna at mccmh

Dec 21, 2007, 5:56 PM

Post #39 of 50 (3839 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

yeah, I know that it is the spoofers who are doing the most damage to
our email health, but they are a big number... they'll register a
domain a day, publish an SPF record, and tomorrow, do it all over again....

Julian Mehnle wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> David Woodhouse wrote:
>
>> This is how SMTP has worked since the early 1980s, and still works
>> today. If you choose to believe that by continuing to be compatible
>> with how email has worked for over two decades I am 'doing the damage',
>> then so be it.
>>
>
> No, the actual damage is being inflicted by those who spoof others' e-mail
> addresses with malicious intent (spammers, malware, etc.). However,
> innocent bystanders insisting that all this legacy "functionality" of
> SMTP be retained forever is now causing those innocent bystanders to
> become part of the problem.
>
>
>> If you use -all, there are situations in which your mail will be thrown
>> away. If you reject for failure, there are situations in which you will
>> be throwing away genuine mail, forwarded through normal, SMTP-compatible
>> systems.
>>
>
> Right. However the magnitude of this (1) isn't a significant problem for
> many people and (2) is outweighed by the benefit (no more misdirected
> bounces, etc.) almost all the time.
>
> This will have been my last comment on this topic for at least another
> half a year. This horse has been beaten to death too many times already.
> *sigh*
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFHbDUiwL7PKlBZWjsRAkdyAKDswNYEhy7XB0+UfDjKF3EZKIU1MwCeOQW8
> 6gBsM59F5fhNbHSiQ+15y8c=
> =eICc
> -----END PGP SIGNATURE-----
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org
> Archives: http://v2.listbox.com/member/archive/735/=now
> RSS Feed: http://v2.listbox.com/member/archive/rss/735/
> Modify Your Subscription: http://v2.listbox.com/member/?&
> Powered by Listbox: http://www.listbox.com
>

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78739992-1583ad
Powered by Listbox: http://www.listbox.com


alex at ergens

Dec 21, 2007, 6:00 PM

Post #40 of 50 (3842 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

On Fri, Dec 21, 2007 at 08:52:32PM -0500, Bill Adragna wrote:
> But they will change their SPF record every day.... won't they?

Who cares?

An anti-spam system doesn't care if the sending host is or is not
authorized. All it cares about is that domain $spammerdomain is
used.

Or are you going to accept spam, just because the sending host was
authorized by the spammer? If you do, you didn't quite understand
what SPF is about. A pass does not mean you shouldn't look further.

A fail does mean you don't need to waste valuable resources, such
as looking at DKIM, SRS, anti-virus, anti-spam.

Alex

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78741042-ebeb2e
Powered by Listbox: http://www.listbox.com


alex at ergens

Dec 21, 2007, 6:03 PM

Post #41 of 50 (3820 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

On Fri, Dec 21, 2007 at 08:56:35PM -0500, Bill Adragna wrote:
> yeah, I know that it is the spoofers who are doing the most damage to
> our email health, but they are a big number... they'll register a
> domain a day, publish an SPF record, and tomorrow, do it all over again....

If they register a domainname, they don't need to spoof. This costs money.
If they spoof, they don't need to register a domainname. This does not
cost money.

Guess what they prefer...

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78741705-aaf847
Powered by Listbox: http://www.listbox.com


terry at ashtonwoodshomes

Dec 22, 2007, 5:07 AM

Post #42 of 50 (3833 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

Julian Mehnle wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Bill Adragna wrote:
>
>> I've been following this for years, and somebody tell me,
>> what will prevent the spammers from getting a valid SPF record for
>> themselves, thus blowing up the whole point of the SPF record?
>>
>
> There seems to be a misunderstanding. The point of SPF is not to stop
> spam but to stop sender address forgery. If spammers set up SPF records
> for their own domains (which is of course what they have been doing for
> years), then we can authenticate mails from their domains with confidence
> and blacklist their domains. All the better.
>
> If you want to stop spam, please try SpamAssassin or some other anti-spam
> solution.
>
I know you know this Julian, but it needs to be said.

Lets not put SPF down too much, in the act of stopping forgery, a lot of
spam (and virus generated email) that is forgery gets stopped in the
process.
Consider the spammers who forge email as from "good" or common domains.
One cannot block all emails from certain common domains, so we need to
differentiate between the ones that REALLY come from those domains and
ones that do NOT come from those domains but pretend to.

For a simple case that's easy to see, how many of you have received or
still receive spam that claimed to be from someone at your own domain
but didn't (e.g. claimed to come from YOU at your domain).
If you publish the appropriate SPF record, you can swiftly block those
emails, no false positives (The woodenheaded corner case of blind
.forward'ing email not withstanding, since its irrelevant to 99.9999% of
the world)

Terry


> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFHbDT7wL7PKlBZWjsRAvjdAJ9/m7Bd2dCuADw6SJtqWtSiyYcROACeNt8Z
> +v7dYdQrpe1xC3y99g/hWKQ=
> =f4ot
> -----END PGP SIGNATURE-----
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org
> Archives: http://v2.listbox.com/member/archive/735/=now
> RSS Feed: http://v2.listbox.com/member/archive/rss/735/
> Modify Your Subscription: http://v2.listbox.com/member/?&
> Powered by Listbox: http://www.listbox.com
>
>

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78786776-7760cc
Powered by Listbox: http://www.listbox.com


nobody at xyzzy

Dec 22, 2007, 11:03 AM

Post #43 of 50 (3832 views)
Permalink
Re: advice wrong, or is it? [In reply to]

David Woodhouse wrote:

>> Note: they say "~all" is good, "-all" is not.

Assuming that they say this (I'm not convinced):

> They would say it because they believe, like many others,
> that the fundamental principle on which SPF is based --
> that forwarding does not happen -- is completely wrong.

The fundamental principle of SPF is RFC 821, with a clear
responsibility for accepting and forwarding mail, noted in
the reverse path. RFC 821 also offers a simple solution
for folks not wishing to take this responsibility: 551.

> And thus that publishing a '-all' record invites people
> to throw away genuine mail.

That's rubbish, '-all' emulates 551 as good as possible
for receivers rejecting FAIL. The original senders are
supposed to know why the they publish FAIL.

OTOH with '~all' it's more likely that mail ends up in a
black hole resulting in a loss of "genuine mail". Even
where receivers handle SOFTFAIL with greylisting, later
they'll accept it as "suspicious" => spam folder => loss.

With 'FAIL => reject => forwarder bounces => sender makes
another plan' all is fine.

> For the normal definition of 'genuine', that is, not
> the SPF NewSpeak definition.

The normal definition of responsibility is RFC 821, not
the 1123 5.3.6(a) bug where "responsibility" in the case
of forwarding to 3rd parties mysteriously vanished. SPF
emulates the status quo antea wrt 1123 5.3.6(a), that's
no NewSpeak simply because it isn't "new".

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78831904-9e3307
Powered by Listbox: http://www.listbox.com


nobody at xyzzy

Dec 22, 2007, 11:15 AM

Post #44 of 50 (3827 views)
Permalink
Re: advice wrong, or is it? [In reply to]

Julian Mehnle wrote:

> SPF is all about clearly redefining the meaning of the SMTP envelope
> sender from the fuzzy mess that it is in RFCs 821 and 2821, for any
> domain that has an SPF record.

RFC 821 was a sound architecture, and RFC 1123 simply forgot to close
the odd 5.3.6(a) loophole. Without reverse path the MAIL FROM wasn't
updated by relayers (including forwarders to third parties, the only
critical case), and that killed the good "responsibility" concept in
RFC 821 for some years. Until SPF FAIL reintroduced it.

> What you don't seem to get is that SPF is an opt-in system. If YOU
> don't want YOUR mail to be subject to that clear redefinition, don't
> publish an SPF record for YOUR domain. It's that simple.

> For the rest of us, the benefit of SPF by far outweighs the (believe
> it or not) ever so small forwarding problem, or we wouldn't be using
> it.

+1 After more than three years I'm still at *one* case where I had
to send a FAILing mail again (bypassing the broken-by-1123 forwarder).

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78834640-85f372
Powered by Listbox: http://www.listbox.com


admin at asarian-host

Dec 22, 2007, 11:22 AM

Post #45 of 50 (3822 views)
Permalink
RE: Re: advice wrong, or is it? [In reply to]

Bill,



From the very get-go, the SPF community has always been very careful not

to confuse anti-spam with anti-forgery. And for good reasons. Of course, a

lot of spammers spoof, and legit folks don't, so it stands to reason that

in deploying SPF you will at least stop the influx of spammers who spoof.



One of the reasons SPF should, IMHO, not be equated with 'anti-spam' is

that the 'negative' side is only one part of the equation. Namely, once

you have deployed SPF, and with "pass" determined that a relay is

authorized to use a domain name, you could do 'positive' things with it,

too, like whitelist a particular connection based on the score of a

reputation service. Recently, for instance, I have implemented Meng's new

Karmasphere service, and I am fairly excited about it. :)



I say the use of a reputation service, like that of Meng's, in combination

with SPF, is potentially very valuable. For one, it allows for greater

granularity while examining a client connection. Heretofore, you inspect a

connecting IP address, and that was pretty much it. But now you could have

mail come in from a 'gray' IP address (say a dynamic, residential

address), that you would normally reject, and with the aid of SPF in combo

with a reputation service, selectively say domain 'mybuddies.com' or

'majorisp.com', when authorized and in good standing, are still okay to

connect from that IP(range).



The possibilities of adding "pass-ed" domains to the mix are legio.

Therefore SPF != anti-spam. Also, as you hopefully see from my examples,

very much depends on the MTA, and how their operators will use it.



- Mark

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78833487-86b5be
Powered by Listbox: http://www.listbox.com


nobody at xyzzy

Dec 22, 2007, 11:47 AM

Post #46 of 50 (3823 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

David Woodhouse wrote:

> some people advocate against SPF because of the way it tries to
> retroactively declare 20 years of SMTP behaviour as 'wrong'

Mostly people using some vanity "alumni" forwarder. And RFC 821
never permitted to keep a MAIL FROM as is in *any* relaying, let
alone in forwarding to third parties. RFC 821 had precise ideas
about forwarding, 251 "will do, but please use new address", and
551 "won't do, please try new address".

> the fact that it causes genuineĀ¹ mail to be thrown away.

Nope. In fact SOFTFAIL is more dangerous than FAIL depending on
the *combined* receiver policies. If the MX stamps the mail as
"suspicious", something behind the MX moves "suspicious" to a
corresponding folder, and if "suspicious" normally is spam, then
the user might let the mail rot until it's automatically purged.

OTOH a FAIL is hopefully rejected by the border MTA (accepting
FAIL at the border would be too stupid to discuss it, but it's
of course possible to identify FAIL too late = after SMTP), and
unlike a poor "forwarding" user who might have no idea what SPF
is, the originator is supposed to know how SPF FAIL can result
in "genuine bounces" (for your definition of "genuine").

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78837532-5db5d4
Powered by Listbox: http://www.listbox.com


nobody at xyzzy

Dec 22, 2007, 11:57 AM

Post #47 of 50 (3830 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

Bill Adragna wrote:

> they'll register a domain a day, publish an SPF record,
> and tomorrow, do it all over again....

That's actually fine for receivers. An SPF PASS means that
they can accept the mail "on probation" and bounce later if
it turns out to be spam: After an SPF PASS the bounce can't
hit an innocent bystander.

Otherwise an SPF PASS from unknown strangers means nothing,
it only means "can bounce / challenge / reply / ... later".

One of the problems with PRA: A PRA PASS from an unknown
stranger means nothing at all, all auto-responses including
bounces go to the MAIL FROM, and that's not necessarily the
same as the PRA.

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78840014-7917c3
Powered by Listbox: http://www.listbox.com


nobody at xyzzy

Dec 22, 2007, 12:16 PM

Post #48 of 50 (3827 views)
Permalink
Re: Re: advice wrong, or is it? [In reply to]

Daniel Taylor wrote:

> Eh, there's one in every crowd.

s/one/at least one/ :-)

> the mere thought of changing e-mail to be less permissive than
> STD821/822 makes his skin crawl for less rational reasons.

SPF is more permissive than RFC 821: SPF allows to "aggregate"
unrelated sending MTAs in one "permission" (SPF record). A more
restrictive approach is BATV, and combining BATV with SPF can
make sense for folks who don't need the "aggregation" feature.

IOW if you ever thought about SPF's include:-mechanism then BATV
likely isn't something for you.

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78842486-231566
Powered by Listbox: http://www.listbox.com


nobody at xyzzy

Dec 22, 2007, 12:30 PM

Post #49 of 50 (3819 views)
Permalink
Re: advice wrong, or is it? [In reply to]

Julian Mehnle wrote:

> recommending "~all" over "-all" is a bad idea.

It's okay for the audience of this FAQ, "we" also recommend
"~all" for beginners and testing. IMO the Google FAQ isn't
the place to explain SMTP / DNS / SPF details.

>| making it hard to forge From: addresses.

> There's no way to protect the "From:" address via SPF, not
> even via Sender ID / PRA.

They obviously mean the MAIL FROM, talking to an audience
with absolutely no clue about 2821 vs. 2822 From differences.

If I had one free wish wrt Gmail it would be "publish FAIL",
not "update your FAQ with SPF FAIL or SMTP MAIL FROM details".

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78844173-302902
Powered by Listbox: http://www.listbox.com


julian at mehnle

Dec 22, 2007, 1:43 PM

Post #50 of 50 (3835 views)
Permalink
Re: advice wrong, or is it? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Mark, good to read you once again.

Mark wrote:
> From the very get-go, the SPF community has always been very careful
> not to confuse anti-spam with anti-forgery.

Let's be honest -- this isn't exactly true:

http://web.archive.org/web/20030713124604/http://spf.pobox.com/
http://web.archive.org/web/*/http://spf.pobox.com

This mistake was flushed out of SPF's public relations only gradually in
2004 and 2005. Unfortunately, this miscommunication provoked negative
responses that emphasized that it was spammers in particular who were
adopting SPF early and thus at that time caused a domain having an SPF
record (or even specifically yielding SPF Pass results) to become a good
indication for spam.

Fortunately this is changing. In a very large and semi-representative
data sample, the spam ratio is ~75% for e-mail not covered by SPF (i.e.,
SPF None), ~80% for e-mail covered by SPF (yes, that's still a bit higher
than the no-SPF ratio), and merely ~45%(!) for SPF Pass specifically.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHbYUbwL7PKlBZWjsRAr8aAKDJ0MALvO8Uwa8nwlIOj01rXw5ZpgCfV1mr
gpatSGn9JkBZVFGy3dnnAnQ=
=GAAE
-----END PGP SIGNATURE-----

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=78859302-dcb7b2
Powered by Listbox: http://www.listbox.com

First page Previous page 1 2 Next page Last page  View All SPF discuss RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.