spf-discuss
[Top] [All Lists]

Re: Re: Drive Towards Consensus

2004-06-18 09:55:44
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 17 June 2004 10:50 pm, wayne wrote:
In <3458893(_dot_)1087488751(_at_)Ryoga> Greg Connor 
<gconnor(_at_)nekodojo(_dot_)org> writes:
--Jonathan Gardner <jonagard(_at_)amazon(_dot_)com> wrote:
[example1]
Accreditation is irrelevant. example1.com's reputation or
accreditation is  beyond the scope of MARID anyway. We are merely
trying to establish authority.

I totally agree that rate limits are done by the transmitting MTA.
Rate limits are also beyond the scope of MARID.

Agreed, on both.

While I agree that the things that Margaret Olson is looking for are
beyond the scope of MARID, they *are* email problems that Margaret has
to deal with on a regular basis.  Her company is an Email Service
Provider (ESP), and this is exactly the kind of thing she does.  Don't
dismiss her ideas because they don't quite make sense to you, she
really does know email.  Her situation, however, is different from
what many of us have to deal with, and that's great.


If two proposals do about the same thing, and one is extendable into
other areas, that proposal will be adopted.

If you think that XML is not an appropriate solution to the SPF
system, then I highly recommend thinking about how to solve the
scenarios that Margaret proposed within the SPF syntax.

Actually, I think we should try to solve these problems anyway, no
matter what MARID may or may not do.

Example3.com:

example3.com publishes:
"v=spf1 mx redirect=%{d}._customer.maridRus.com"

on example3.com._customer.maridRus.com, we have:
for 0.1% of the time:
"v=spf1 exists:CL.%{i}.FR.%{s}.HE.%{h}.null.%{d} ?all"
For the remaining time:
"v=spf1 ?all"

No, you can't change records willy-nilly in DNS. The SPF records are
practically etched in stone, and shouldn't be changed rapidly.

Actually, some appliances such as 3DNS by f5 do this with good
results.

The NTP pool project (http://pool.ntp.org) also rapidly changes their
DNS records.  They have something like 200 NTP servers in the pool,
but only around 15 will fit in a DNS packet.

It works.  It needs no changes to the DNS system.  It is kind of any
ugly solution though.


Margaret replied to my suggestions and didn't feel that my suggested
solution would work well.  Here is what I answered her with:


So, if you want to do 1/1000 sampling, you don't run the sampling SPF
records for a solid 1/1000 amount of the time, you publish the
sampling SPF record for a randomly selected 3.6 seconds out of every
hour.

This can be done with a very simple script, right now, with SPF
without any changes at all.  You don't have to depend on the receiving
side SPF implementation understanding and obeying a new extension.
Depending on receiving systems will create a huge sampling bias.  You
can fine tune things so that the tracking SPF record is deployed more
at night than during the day because the spam volume tends to stay
much more constant, but your server load is lower.  You can deploy the
tracking SPF record right when you know you are sending a burst of
email.

You can do all sorts of stuff that is completely under the domain
owner's control and you can do it today.  It would take me about 15
minutes to create and test a script to do this on my name server.

If you want to get fancier, you can hack up a name server to give out
the tracking SPF record one out of 1000 times it is requested.  You
could decide by the domain requesting the SPF record what kind of
tracking you want done and have the name server respond accordingly.


Stop hacking DNS. It's not good. DNS works because it is distributed. Notice 
how round-robin DNS load balancing doesn't work quite well? That's because 
DNS isn't intended to handle that kind of thing.

It's better to get all the stats, and just keep 1/1000 of them on your end, 
or do whatever you want with it. But that's not a good idea either... see 
below.


Could you imagine the email policy description that would do something
like "send me information about invalid domain name usage, but only
around 08:00 UTC on the first monday of each month, and only if your
from domains x, y, or z, or in *.co.uk, but not ebay.co.uk".  You can
do this today with SPF and a little creativity with your name server.
You will almost certainly never be able to do this if you try adding
extensions, even if you use XML.


The bottom line here is: Can you trust the reports that other people are 
gathering for you?

Maybe we can have a system in place between partners where they say, "Send 
me reports on my name, and I'll send you reports on your name." But that 
has to be worked out carefully, because ultimately, you have to trust the 
guy who is reporting the stats. I wouldn't trust the internet at large to 
do that for me and produce any meaningful result.

If you wanted some kind of stat reporting network, it needs to be built on 
trust. Where does that trust come from? It doesn't come from any kind of 
internet protocol I can think of. (Ping: "Can I trust you?" Pong: "Sure!")

Trust comes from human relationships. We trust that the SSL certificate 
presented at https://www.amazon.com/ is valid because some certificating 
authority we trust trusts it. But that doesn't mean we automatically trust 
Amazon! That trust comes from our human relationship with Amazon.


Basically, I'm saying that the right place to evaluate these decisions
is at the ESP, rather than forcing/depending on all the receivers in
the world to do the decision making for you.


I agree. I'm just trying to sum it up in fewer words.

- -- 
Jonathan M. Gardner
Mass Mail Systems Developer, Amazon.com
jonagard(_at_)amazon(_dot_)com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFA0x6QBFeYcclU5Q0RAq7vAJ9hPGnt7axdUMJQlrYcodQ6en/6vACg4cb6
/3cYt4ha88+KfpiH/u5H1cU=
=9rN+
-----END PGP SIGNATURE-----


<Prev in Thread] Current Thread [Next in Thread>