On September 11, 2004 at 00:23 asrg(_at_)johnlevine(_dot_)com (John Levine)
wrote:
Why do you think ATT is going to publish SPF records for
adsl-24-73-19-222.att.net? Do you think they _want_ to validate
outgoing email from that domain?
It's their dsl customer, why wouldn't they?
I am not a big fan of SPF, but it sounds like you're misunderstanding
what it does. SPF is a map from the domain in a bounce address to a
set of IP addresses. The SPF entry for worldnet.att.net or for
att.net is going to list AT&T's outbound mail servers, not the whole
DHCP farm. There probably wouldn't be an entry for adsl-24-73-19-222.att.net
since you don't see much mail from
fred(_at_)adsl-24-73-19-222(_dot_)att(_dot_)net(_dot_)
Who says you (the public "you") don't see much mail from
fred(_at_)adsl-24-73-19-222(_dot_)att(_dot_)net?
I see bazillions of msgs per day from addresses like that here. Much
of it non-US (so let's not quibble .att.net, it's more likely to be
.tiscali.nl or .chello.de or ocn.ne.jp etc).
So let's say they have 2 million dhcp pool customers (dsl, ppp, cable)
who for years have been sending out mail directly which automatically
gets addressed as fred(_at_)cable-24-33-8(_dot_)100(_dot_)wandoo(_dot_)fr(_dot_)
They haven't opted to block port 25, quite possibly because they don't
have the infrastructure to support that relaying and don't want to
build one, BUT WHATEVER, policy, that's their marketing (I know of one
cable provider who seems to, well, not quite promise, but sell on
never blocking port 25 but I guess these things change.)
So as SPF is deployed what happens?
Either SPF records are published for all of them, or maybe somehow
only those which need it, or slowly but surely these customers find
their email seemingly randomly rejected because of SPF NAKs and now
have to understand this and react to it?
What a joy that'll be for the support desks.
Has anyone worked any of this out? Why do I get the feeling that, at
this rather late date in SPF's devpt, that all these questions remain
unanswered?
One thing that SPF doesn't do very well (nor do most of its
competitors) is to provide an efficient way to denounce mail from your
subdomains. It's easy enough to say no mail, that's "-all", but you
have to put the SPF record on every subdomain that a bad guy might
use. You can try to use DNS wildcards, but you still need an SPF
record for each name for which you have an A record or anything else,
so the DNS bloat is severe.
This isn't SPF's worst problem, the large amount of real mail that it
marks as bogus is much worse.
I agree this isn't SPF's worst problem, but there's something here
that does need to be explored.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"I shook hands with Senators Dole and Inouye," said Tom, disarmingly.
--
-Barry Shein
Software Tool & Die | bzs(_at_)TheWorld(_dot_)com |
http://www.TheWorld.com
Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD
The World | Public Access Internet | Since 1989 *oo*
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg