On Jun 14, 2004, at 9:46 AM, Gary Levell wrote:
By which I assume you mean that if someone wishes to publish a policy
that maps to a large segment of the internet, then it's the receivers
right to refuse to accept email from them?
After discussion in our team, we think this is a good idea, and will
almost certainly offer this as an option in our product even though the
SPF module would still indicate a "pass", we plan to augment that pass
with a "scope" value which would be the scope of the passing mechanism
and then futher action can be taken, including a rejection.
It certainly makes sense to consider some SPF records so peculiar as to
be suspicious, but I do think that the problem you are trying to solve
is a self-created problem. Specifically the problem arises only if you
somehow treat an SPF pass as meaning more than it really does.
It might seem that a local policy could do this when the "offending"
domains are located, but the fact is that many of our customers are
neither computer literate nor mail system administrators, nor
particularly interested in SPF/anti-spam.
If you support a way for users to say "this is spam" in your product,
then you could have that blacklist domains that appear to authorize
spam "from" their domain.
Since you are clearly talking about a product that works with
MS-Exchange, please tell us that if it leads to mail being rejected
that it does the reject during the SMTP transaction and doesn't do an
"accept and then bounce".
I'd still like people's feedback on what they _think_ might constitute
an unacceptable portion of the internet. Notwithstanding the power-of-2
issues, I'd expect this number to be fairly large (/20?)
The general approach people have been taking is that we shouldn't
second guess too much what people might do. Suppose uunet.net felt it
reasonable to set up an SPF record that covered everything under its
wing. It would be huge. Now I'm sure that plenty of us would consider
blocking uunet mail anyway, but because of what they allow from their
network and not because of how they describe it.
If you could implement something like the semi-automated blacklisting I
described above, that would address the real problem instead of trying
to heuristically judge which domains are up to no good from the SPF
records alone.
-j
--
Jeffrey Goldberg http://www.goldmark.org/jeff/