spf-discuss
[Top] [All Lists]

Re: a grand unified theory of MARID

2004-06-22 08:39:38
Meng,

We may have to agree to disagree on this, I think overiding 
MTAMark=no will ensure that it (MTAMark) will not be widely 
adopted by ISP's.

If the ISP can not effectively define policy with MTAMark, then 
the ISP has no incentive to use it all.

It is currently accepted, that most spam, phishing, etc... is 
coming through trojans on the networks of these ISPs. After 
all, it is easy for a spammer to create the SPF record required, 
that overrides the MTAMark=No as currently proposed.

In the absence of an effective non-invasive technology, ISPs 
may be forced into heavy handed solutions such as submitting 
them to DUL/DHCP type RBLs and even blocking port 25. MTA 
administrators will continue to use DUL/DHCP DBLs since they 
are reasonably effective, and it is now generally accepted that 
an MTA should not MX from a DUL/DHCP if reliable delivery is 
required.

I would like to see MTAMark used to help enforce an ISP's 
policy, so that we could move away from DUL/DHCP blacklists if 
it was widely implemented. 

Where there ISPs used MTAMark to show which IPs have an 
authorised MTA, that would be very positive, but only if IPs 
which are not authorised are not accepted.

Regards
Karl Prince

On Mon, 21 Jun 2004 16:26:34 -0400, Meng Weng Wong:
On Sun, Jun 20, 2004 at 10:32:54PM +0100, Karl Prince wrote:
| 
| 0429-linuxbroadband 
| http://spf.pobox.com/slides/unified%20spf/0429.html
| 
| This was a big surprise, since it seems an ISP can not publish 
| (effective) policy stating that their IP address space is not 
| to be used to send emails from directly. Even DHCP Dialup can 
| not have an enforced no direct email policy.
| <snip>
| 
| If an ISP has a "no direct mail" or a "no server policy", then 
| they should expect a published policy for these IP addresses to 
| be honoured. Ideally I would hope that users allowed to send 
| mail directly could switch off this record, if enabled by 
| default on new connections.

The important thing is finding a responsible sender.  If the
HELO domain passes authentication and it a reputation system
considers it "good", that should override the ISP's opinion
of whether it deserves to send over port 25.  Similarly for
the return-path --- that can be another subject of
authentication that overrides the MTAMark=no semantic.

| Though since many admins use DHCP/Dialup DBLs (or maintain 
| their own like AOL) to block these IP addresses (to which some 
| ISPs submit their DHCP IP's for addition), so allowing it to 
| pass may be in vain.

Unfortunately, this is part of the pain of switching
paradigms.  It'll be up to the army of linux hobbyists to
convince ISPs that instead of blocking port 25, they should
just define MTAMark=no.  That same army can also take on the
attempt to convince ISPs to stop blocking based on DULs when
the MTAMark=no semantics become available with an SPF/helo
or SPF/mail-from override.



______________________________________________________________
Email via Mailtraq4Free from Enstar (www.mailtraqdirect.co.uk)


<Prev in Thread] Current Thread [Next in Thread>