ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: MTAmark (was: Reality check please)

2004-06-15 02:00:00
from [Hector Santos] [Permanent Link] 


----- Original Message ----- 
From: "Markus Stumpf" <maex-lists-email-ietf-mxcomp(_at_)Space(_dot_)Net>
To: "IETF MARID WG" <ietf-mxcomp(_at_)imc(_dot_)org>
Sent: Monday, June 14, 2004 3:10 PM
Subject: Re: MTAmark (was: Reality check please)



On Sat, Jun 12, 2004 at 03:06:39AM -0400, Hector Santos wrote:



Give me one site that really utilizes the client side of SPF?

Not sure what this question ask.


Let me see one serious site that rejects mail from AOL.com because the IP
that sent the message was not on the SPF list.


The continued embedded usage of tthe word "serious" keeps me scratching my
head <smile>

The mere fact a mail server is made part of the common and world wide
network, makes it a "serious" operation with standards and BCP
responsibilities.  I don't mind saying (because I believe it very strongly),
putting up a mail server with the intent of running a mail operation but
failing to adhere to common practice and standards, well, is bordeline
unethical and malpractice that puts you at risk with your peers.   You seem
to put alot of weight on the "its my ball" syndrome with a heavy weight
placed on a system admin (you)  policy to decide what mail transactions are
acceptable.  However, from what I have seen and personally experienced, it
is all based on some criterias that in my view, "serious" mail server
operations do not usually typically use.  Auto-generated permanent blocks
based on what I believe are weak criterias is what I see on your system.
Oh well,  its your toy.  <g> As long as you keep your automated blocking
methods to your system only, thats fine.  But once you get into the game of
passing on this highly false "blocking IP database" information to a public
and general database, well, that is just plain "wrong."

Anyway,  AOL?

Markus, in this case, if the sender IP using a AOL sender domain is not
validated by the AOL SPF policy, then for this specific situation,  you have
AOL neutral result.  A no-decision based on a SPF neutral criteria.  This
alone can not be used for rejection per AOL's SPF policy.

But any "serious" anti-spam system is not going to rely solely on SPF or
MARID, period.  It doesn't solve or cover all possibilties, so you need to
incorporate other methods as well.

There would be several ways to reject this:

o Use popular RBL sites to cover the known reputation of the IP.
o Use Local Domain/IP spoof checking.  MARID/SPF not required.
o or use a CBV against AOL's local user validation which they support.

-- 
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Alternative to TXT or new RR, Matthew Elvey
Next by Date:  Re: Reality check please (You set me up! Thanks!), Matthew Elvey
Previous by Thread:  Re: MTAmark (was: Reality check please), Markus Stumpf
Next by Thread:  Re: MTAmark (was: Reality check please), Jon Kyme
Indexes:  [Date] [Thread] [Top] [All Lists]