spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: spf-draft-200404.txt -- Happy spammers

2004-04-26 06:14:27
from [Seth Goodman] [Permanent Link] 
From: Andy Bakun
Sent: Monday, April 26, 2004 3:07 AM




<...>


Digging deeper, I could see a need for making a distinction between
"domain doesn't exist", "domain doesn't publish SPF records" and
"domain's SPF records are unparsable/invalid", but this only has
usefulness outside of the MTA proper.  As far as the MTA is concerned,
any of these three states are exactly equilvent, ...


I'm with Meng on this one.  There is a real distinction between these three
cases, and it is very relevant to the MTA.  It is just not part of SPF.
Since many people already configure their mailers to do forward confirmed
reverse DNS on the connecting IP, NXDOMAIN results would cause SMTP
connections to be terminated before you ever get to the SPF check.  Now, if
you prefer to err on the side of permissiveness in what you accept, you are
free to ignore or not even do any tests on the SMTP-client prior to SPF
checks.  There will be a lot of spam in the queue, but your MTA, your rules.

SPF, or any other protocol that enforces foreign domain-owner's policy,
makes the most sense as the last test during the SMTP session before DATA
and after all the local domain policy tests are complete.  In order to avoid
interfering with local policy, the SPF spec _had_ to be written in this
manner.  With tight local policy, most spam can be caught and rejected
before an SPF check using: FCrDNS, dynamic IP DNSBL's, open relay DNSBL's,
spam source DNSBL's, RFC-ignorant DNSBL's, HELO string checks, local black
lists, etc.  This is all part of best commercial practice, but the writers
of the SPF spec wisely chose to stay out of the swamp they would find
themselves in if they tried to mandate any of those.  Instead, SPF leaves
them up to local policy.  I would personally like to see every MTA do all of
the above and more, but since we'd never get even this group to agree to
that, neither would the whole of the email community accept it.  We can't
even get everyone to agree on outbound port 25 blocking, which some see as
fundamental to outgoing spam control (are you listening, Comcast?), others
see as an individual rights issue and some are just too lazy to be bothered.

--

Seth Goodman
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: spf-draft-200404.txt -- Happy spammers, wayne
Next by Date:  Re: solving the demon problem: use the zonecut, wayne
Previous by Thread:  Re: spf-draft-200404.txt -- Happy spammers, Andy Bakun
Next by Thread:  RE: spf-draft-200404.txt -- Happy spammers, Andy Bakun
Indexes:  [Date] [Thread] [Top] [All Lists]