ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Asrg] Re: Unique innovations made to anti-spam system

2006-01-23 19:06:34
from [Frank Ellermann] [Permanent Link] 
Douglas Otis wrote:


SPF is often open-ended.  This may not offer an assurance of
the return-path either, and failure may also be in error.


The latter would be a case of either an erroneous policy, then
it's the problem of the sender, or checking behind the border,
then it's a problem of the receiver.  Folks who aren't up to
getting it right better stay away from SMTP and DNS, that's no
specific SPF isue.

The former ("open-ended" is your weaselword for MEUTRAL if I
finally got it) is no problem.  Receivers only intrerested in
FAIL can ignore policies without a single "-" qualifier.  And
if they are only interested in PASS they might be also able to
optimize the evaluation.

They can do many interesting things like check only every 112th
mail - just in case because Doug says 112 lookups are the norm.


Rejection based upon SPF has similar problems with erroneous
failures.


Quite the contrary "drop FAIL" is extremely dangerous, reject
is always fine.


SPF depends upon third-parties reading and acting on the
record or perhaps expecting the spammers to have read your
record.


A combination, the spammers can't be sure who does something in
the direction of "drop FAIL" like e.g. SpamAssassin.  While it
is dangerous it has its uses.  Get around SA is the jackpot for
a spammer, trying it with a FAIL-protected address is no plan.


Use of SPF also hopes that no one on your domain is sending
to a forwarded account when closed.


If that's about 1123 5.3.6(a) with both forwarder and next hop
ignoring the issue - as it's their right -, and if the next hop
checks SPF, then FAIL emulates "551 user not local" and works
as designed.  So far I had this once in 20 months, and the 551-
bounce (emulation, actually of course not 551) told me where
to send the message again directly bypassing the forwarder.

The idea behind SPF is pure KISS.  And if you stick to "ip4" in
a policy it's also in practice KISS, at worst you have to know
what a "CIDR" might be.  If you finally get the idea why you
use either "ip4" or "a" or both in a policy you're done.  The
rest of the show like macros, "ptr", and what else is for geeks
or non-trivial mail setups of bigger ISPs with clueful admins.

                              Bye, Frank



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Asrg] Re: Unique innovations made to anti-spam system, Frank Ellermann
Next by Date:  Re: [Asrg] Unique innovations made to anti-spam system, Michael Kaplan
Previous by Thread:  Re: [Asrg] Unique innovations made to anti-spam system, Peter J. Holzer
Next by Thread:  Re: [Asrg] Re: Unique innovations made to anti-spam system, Douglas Otis
Indexes:  [Date] [Thread] [Top] [All Lists]