[Top] [All Lists]

Re: SPF I-D for review: draft-schlitt-spf-classic-00.txt

2005-03-04 15:37:37

In <200503040820(_dot_)22493(_dot_)blilly(_at_)erols(_dot_)com> Bruce Lilly 
<blilly(_at_)erols(_dot_)com> writes:

On Fri March 4 2005 00:19, Keith Moore wrote:
Well, current SMTP specifications allow for anyone to use any domain
in either the rfc2821 identities, or any place in rfc2822.  All
authentication schemes intend to change that.

AFAIK, none of SSL, TLS, or SMTP AUTH make any such change.

well, it depends on what you mean by "being able to use any domain"

Well, that was Wayne's comment.  From my perspective (as a mobile
user (i.e. connecting via an unpredictable IP address) with need
to use only a few domain names) I'd phrase the issue as "being
able to use any IP address"; and that's where SPF utterly fails.

I don't believe that SPF utterly fails for roaming users.  There are
many options for you to use.

For example, you can use SMTP AUTH over the SMTP submission port to
always submit your email to an acceptable MSA instead of using your
ISP's MTA.  While there are many ISPs that block port 25, there is no
reason to block port 587 and almost no one does.

Another option is to give neutral results on other IP addresses.  You
can even do something like:

        v=spf1 mx -exists:%{ir} ?all

This give positive results for certain IP addresses, negative results
for those most likely to be abusive, and neutral results for everyone
else.  Note that since the domain's MTA addresses are checked before
the DNSBL check, you can use pretty aggressive DNSBLs with out fear of
the domain's MTA being listed on the DNSBLs.

With more work, you can create specialized DNS servers and use the
exists: mechanism to do some fancy things.  About a year ago, someone
created a "rate limiting" DNS server, so you could do something like:

        v=spf1 mx exists:${ir}._spf_rate.%{d} -all

The DNS server was put on the subdomain _spf_rate, and it would allow
only a few emails per hour from a given IP address.  This allows
roaming users to send a few emails, but prevent spammers from sending
lots of email using their domain.

Similar techniques can be used check for a special token in the return
path and allow email using it.  One person was working on creating
something similar to SMTP-after-POP, which would authorize an IP
address via a specialized DNS server after a POP.

All of these techniques have been known/discussed for well over a