ietf-asrg
[Top] [All Lists]

Re: [Asrg] article: port 25 blocking

2005-04-12 18:05:40
On Tue, Apr 12, 2005 at 04:41:28PM -0700, George Ou wrote:
Most people already manage their own DNS when they sign up with a hosting
service via web interface.  Since they're already managing their MX records
now, no reason they can't manage their own SPF records.

MX != outgoing SMTP

There are even
automated web interface wizards that help users generate SPF records for
their DNS servers.  If a user is a clueless user that uses a brain dead
script to set up their domain, simply have the brain dead script
automatically add the SPF records in addition to the MX records.

Again, MX != outgoing SMTP for large parts of the Internet.
Call your provider and request a list of outgoing SMTP IP addresses and see what
you get. And remember, the IP address you use for a smart/relay may be totally
different from that the outgoing IP of that server is.

Those
people are probably using your standard relay servers anyways so it's fairly
easy to use default settings.

No, a not so small number of them aren't using any of our MTAs at all.

And again: changing IPs for MX servers is easy. The MX carries that name, change
the IP for that name, done. All you have to do is change ONE A record in ONE
zone.
SPF records carry IP addresses. Changing/adding/deleting the IP address of an
outgoing MTA of an ISP requires ALL zones that list (or don't yet) that IP
address in the SPF records to be changed. Even all the SPF records in domains
that are NOT under control by the ISP providing the outgoing mailservers.

Btw.
    Return-Path: <george_ou(_at_)netzero(_dot_)com>
    DomainKey-Status: no signature
    Received: from smtp812.mail.sc5.yahoo.com (66.163.170.82)
      by moebius.space.net with SMTP; 12 Apr 2005 23:41:32 -0000

I can't find SPF records for netzero.com. Your mail routing is a very good
example. You send via Yahoo and you receive via mx.lax.untd.com and
mx.nyc.untd.com. Contact Yahoo and try to get a list of IPs and add SPF
records.

Don't just talk, act and add "-all" SPF records to netzero.com. (also note that
adding one for the domain is NOT enough, you have to add SPF records for all RRs
in that domain or they may be abused).

        \Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg