Douglas Otis wrote:
SPF has a required minimum of more than hundred lookups
A _maximum_ 112, 2 + 10 mx mechanisms, each MX with 10 names.
The minimum is 2 lookups (policy with only ip4, ip6, all), as
for my address if used as Return-Path. In practice 1 lookup
(TXT RR) for those who don't use the new SPF type 99 RR yet.
then _may_ be related to either return-path or the PRA.
A receiver _may_ of course do anything that pleaes him, but a
decent random generator should be cheaper and faster than the
mentioned lookups.
SPF may produce erroneous results in some cases, such as
when applied to the PRA
NOT RECOMMENDED. Same argument as above, same reply as above,
why not simply use a random generator for bogus results ?
or 1123 5.3.6(a).
There are no erroneous results after 1123 5.3.6(a), it emulates
a "551 user not local" if the receiver screws up and tests SPF
behind his border. Working as designed.
SPF may provide open-ended authorizations to enable
alternative providers which perhaps also attracts abuse
NEUTRAL results are by definition the same as NONE, what you'd
get for no policy at all. If it's neither PASS nor FAil it's
like no policy. Nothing in NEUTRAL / NONE can "attract" abuse.
Unless it's a spammer who has learned why avoiding FAIL is a
good idea, that would be another case of working as designed.
Another potential problem occurs when SPF is considered a
verification of email-address to justify the accrual of
reputation, which is dangerous in most shared environments.
Arranging for a good PASS (= white listed by receivers) and
then becoming a zombie is of course bad. Paranoid folks can
use NEUTRAL for shared servers until the corresponding MSA
supports "enforced submission rights" 2476bis 6.1
BATV, much like VERP, offers a solution for preventing any
"back-scatter" problem from affecting the users.
No, unlike SPF it catches 100% of all identified bogus bounces.
It doesn't catch unidentified backscatter, and it doesn't help
to reject forged Return-Paths a.s.a.p. The latter includes
all cases where forged Return-Paths are _not_ bounced but make
it to their primary victims, BATV doesn't help with that part.
SPF FAIL at least offers to help for all who support it. For
the actual phase of the game it's simple for all spammers to
avoid FAIL-protected addresses, just forge another unprotected
Return-Path: Working as designed.
Probably there will be a "next phase", but I don't worry about
it until the unprotected addresses become a rare resource. Bye
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg