On Tue, Apr 12, 2005 at 02:50:00PM -0700, George Ou wrote:
Sorry, this is not how SPF works.
Says who?
Says me.
SPF blocks all hosts that are not registered as SMTP servers in
their domain's authoritative DNS servers. That DOES make blocking consumer
outbound 25 moot.
No. *sigh*
Nothing prevents a spammer from getting throwaway domains, adding TTL 300
SPF records and using some 10000 cracked hosts on broadband access to spam.
I never claimed SPF stops spammers from using stolen SMTP credentials.
But you claim SPF makes port 25 blocking moot. To me there is some kind of
antagonism in this.
This
same issue applies to port 25 blocking as well.
No, it does not apply to port 25 blocking as well.
Port 25 blocking stops dull spammers, stops dull viruses, stops dull botnets
and stops misconfigured hosts. It stops unauthenticated mail injection
(usually),
besides for smarthosts.
You can't turn a host behind a port 25 block into something that pretends to be
a
mailserver and makes connections to other mailservers as it were itself a
mailserver.
SPF does all this NOT and it breaks widely deployed Internet Mail
Infrastructure.
SPF does make it possible
to block abusive or irresponsible domains.
If this domain uses SPF records, yes. If it doesn't you have the same situation
as you have now. With less than 0.01% of all domains using SPF records really a
big win. Deployment is the problem. Without > 80% of all domains deploying SPF
(and SRS) I will never block based on SPF, because I have better things to do
than to talk to 500 business customers a day and explain them 100 times why the
eMail from a SPF -all didn't reach them.
Do you have customers? Do you manage domains for them? Choose 100. Call them and
ask them for information that is needed to add correct and usable SPF records.
Come back in 4 weeks and tell us your results. Call them again in 6 months and
look how much of the information is still accurate.
We're managing only about 20-40000 domains. We have direct customers, we have
resellers. Adding useful SPF records will take *ages*:
250 working days a year.
8 working hours a day
4 domains per hour (*very* optimistic)
This makes 8000 domains per one person per year. With 30000 domain this will
make
3.75 years for one person or about 1 year for 4-5 persons. And: this staff has
to
be skilled. They have to understand: what is SPF, how emails work, what IP
addresses
are and they have to be able to ask the correct questions and you need large
databases
of mailservers, because if the customer says: "I am using provider EXAMPLE",
you have to know the IP addresses of the outgoing mailservers and you need
*tight*
inter-ISP communication, because you have to change SPF records if the other
ISP changes MTA addresses. As to my knowledge there are currently NO such lists.
So before starting the "SPF-for-every-domain" project we should probably start
the
"every-ISP-lists-its-mailservers" project (dooh, this would be a MTAMARK like
list).
Who will pay for this? With USD 5 or 6 for a domain how to do fund the 15-30
minutes
it takes to query the customer for SPF records and add them?
Reality bites.
*sigh* We've been through this a 100 times on this list and on MARID.
Is this Groundhog Day or what?
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg