ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Wide-Open MARID

2004-05-30 08:38:19
from [Greg Connor] [Permanent Link] 

--"Sauer, Damon" <Damon(_dot_)Sauer(_at_)BELLSOUTH(_dot_)COM> wrote:


 I am sorry that obviously none of you who have told me to "just block by
domain" or "let the reputation filter handle it" do this stuff for a
living or on any sort of volume scale, because if you did, you would know
how insane that sounds.

 Limiting SPF to class C addresses does not break anything... it is a
enhancement. It allows me to do MY job efficiently and effectively.  I
sure hope that most in this group will step back, take a look at what
they are suggesting, imagine the poor shmoe that has to implement and
administer it (please assume that he or she has a life), then modify it
accordingly. (which is all I am trying to accomplish here) If SPF was
implemented tomorrow and everyone put a record of +all - SPF means
nothing, does nothing, can do... nothing. It can't even legitimize the IP
that it is coming from... which is its whole purpose. Legitimate mailers
who do not want to be spoofed, will limit their SPF's to class C anyway.
Why not make it a requirement? I am truly interested in the work this
group is doing. I also want to ensure the "product" viable,
implementable, valuable, and sane.
I think the decision about what kind of MARID records are "OK" or "Too wide open" should be left to the receiver. I would like to provide the mechanism, and I think we should steer clear of any policy pronouncement about what is too generous or not. Perhaps that could appear in a separate draft filed as "best practices".
Probably the best way to implement a policy like that, where a sender says "ip4:0.0.0.0/0" or just +all, would be to pretend that record didn't exist, and treat the mail as unknown... but some receivers might treat that with more prejudice and refuse all mail from that domain. I don't want to make that decision for them either. 




 But again, I was not asking about them in my original post. I was asking
(and I will ask again)- Can we limit SPF's to Class C addresses? If the
answer is "No." Then thank you very much- I will consider anyone with
over /24 or +all as a spammer and block them. Darn, THAT was easy!
I understand what you mean. You may decide to modify that as time goes on... many large companies own a /19 or even a /16 and may list that. Anyone with their own AS number, who wants to announce their own routes and use multiple ISPs to connect the same IP space up, will probably need to announce a full /20 at least... most peer ISPs will drop routes longer than /20.
I think we can all agree, MARID will be one tool among many, and won't solve ALL your problems. Most folks will probably still use IP-DNSBLs, and hopefully RHSBL's will become even more useful. I would also like a way to block any domain served by the spammers NS server. But those are not core to our concern here. 

--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Wide-Open MADRID, Douglas Otis
Next by Date:  RE: Wide-Open MARID, Jon Kyme
Previous by Thread:  RE: Wide-Open MADRID, Sauer, Damon
Next by Thread:  RE: Wide-Open MARID, Jon Kyme
Indexes:  [Date] [Thread] [Top] [All Lists]