ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] SPF, was where the message

2009-01-23 06:07:27
from [Ian Eiloart] [Permanent Link] 


--On 22 January 2009 02:02:29 +0000 John Levine <johnl(_at_)taugh(_dot_)com> 
wrote:


For senders that are on its whitelist, AOL reverse engineers the IP
addresses to whitelist from the sender's SPF records, which is way
easier all around than the former mostly manual system.

Since S-ID falls back to SPF records, most senders just publish one set
of SPF records for both.  Note that neither of these are using SPF for
its nominal purpose; I'm not aware of any large system that does.


They're using it for whitelisting purposes instead of its nominal
purpose?  That's exactly what I'm discussing.


Every once in a while, AOL fetches the SPF records for senders in
their whitelist, crunches them to get a set of IP addresses, and then
puts those IP addresses into their whitelist.  AOL's whitelisting
process is based on IPs, with the SPF bit merely being a cheap way for
senders to tell AOL what IPs they use.  They do not use SPF
per-message, nor as far as I can tell do they make any attempt to
match up the bounce address on incoming mail to the domain from which
they got the IP in the whitelist.
Aren't the two things functionally equivalent? Oh, I guess that they're effectively whitelisting ALL email from IP addresses for which they trust ANY domain. I hope they've got some process that prevents them falling foul of the obvious attack. 




I think SPF has a bad reputation in some quarters because people
think of how it breaks forwarding (etc).


It could be somewhat useful for whitelisting some kinds of mail.  Too
bad it's been so egregiously oversold.
Agreed. It's exactly why publication of SPF records (with ~all) should be encouraged. Once people get the hang of that, and using MSA, we'll be in a world where -all records will be less risky. 


R's,
John


_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg




--
Ian Eiloart
IT Services, University of Sussex
x3148
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] mail security, Ian Eiloart
Next by Date:  Re: [Asrg] where the message originated (was: DKIM role?) (SM), Ian Eiloart
Previous by Thread:  Re: [Asrg] SPF, was where the message, John Levine
Next by Thread:  [Asrg] CFP - Special Session on Web Spam in IEEE DEST 2009, Istanbul, Turkey, 1-3 June 2009, Vidyasagar Potdar
Indexes:  [Date] [Thread] [Top] [All Lists]