spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Please stop publishing -all it is NOT time yet

2004-06-14 21:08:45
from [Jeffrey Goldberg] [Permanent Link] 
On Jun 14, 2004, at 11:50 AM, Koen Martens wrote:


On Mon, Jun 14, 2004 at 07:40:14AM -0500, wayne wrote:



It is *very* important for domain
owners to be able to test the waters by publishing an SPF record with
?all without fear that they will be treated any differently than if
they didn't publish SPF records at all.



Hmm, but some argue a ?all or ~all result helps their spamfilters later
on. So if something is wrong on the publishing end, they'll always run
the risk some statistical virus filter later on has seen a high correlation 
between spam and softfail in the headers... Or am I way off now?
I think you are right, but I don't think that it changes Wayne's point. Statistical mail filters are just what they say they are. If statistically there is a difference between "none" and "neutral" then that information will be made use of.
But remember the nature of the Red Queen's Race with the spammers and how things equilibrate. If statistical filters treat "neutral" more positively than "none" then spammers will start forging mail from domains that publish ?all. The statistical filters will come to notice that "neutral" is no longer a useful indicator.
I consider worrying about this from the publisher's point of view as making no more sense than, say, choosing exim instead of sendmail based on the reason that spammers are more likely to forge sendmail style Received lines then exim style Received lines. There may be other reasons to prefer exim, but that isn't one of them.
At the moment, it appears that some non-forging spammers are publishing SPF records, presumably because some statistical systems might currently be favoring SPF "pass". If enough of that happens, a "pass" may, for some weeks or so, start to look bad to some statistical systems. But that is hardly a reason to not publish an SPF record.
With softfail the argument is a little different. The way I read a "softfail" instead of a "neutral" is a domain admin saying, "this mail is either forged or comes from some legitimate source that I don't know about. but I suspect that there are legitimate sources that I don't know about or can't specify". A softfail is telling me something different than a neutral.
As many have pointed out, but I'd like to reiterate. The idea is to keep the meaning of "pass", "fail", "neutral", "softfail", and "none" consistent. But while the meaning remains constant, the actions or policies that receiving systems can vary widely from site to site. For example, it would be perfectly consistent with SPF for me to set up a server that only accepted mail that had an "SPF fail". It would be a very peculiar thing to do, but as long as I didn't generate misleading bounce strings, I wouldn't be undermining SPF at all.
This is no different than the fact that today I can set my mail server to only accept mail which scores high as spam. It would be peculiar for me to do so, but as the slogan goes, "my server, my policy".
So it is important to distinguish between the constant meaning of an SPF query with the variable ways people may choose to use those results. 

--
Jeffrey Goldberg                        http://www.goldmark.org/jeff/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Large address scope problem, spf
Next by Date:  Re: Happy Birthday SPF!, Koen Martens
Previous by Thread:  Re: Please stop publishing -all it is NOT time yet, Koen Martens
Next by Thread:  Re: Please stop publishing -all it is NOT time yet, Lars B. Dybdahl
Indexes:  [Date] [Thread] [Top] [All Lists]