From: Frank Ellermann
Sent: Tuesday, July 06, 2004 9:55 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: [spf-discuss] Re: Unified SPF works in progress now in alpha
Seth Goodman wrote:
I don't see why we should help anyone sending mail from a
dynamic IP. _Most_ people on dynamic IP's are not capable
of running MTA's.
This "most" doesn't include users with a reliable MX (static
IP), and a say DynDNS domain with "v=spf1 +a +mx -all" policy.
I specifically said the problem was with dynamic IP's as you've quoted me
above. Of course this does not include static IP's.
That's not the typical trojaned zombie setup, and in theory
it could work. In practice there are some problems, but that
has nothing to do with classic SPF. I'm not sure about the
"united SPF" beast including some kind of MTAMARK.
That's right. I was specifically talking about dynamic IP's. People with
static IP's can run their own mailers at most ISP's, and if they screw up,
they get blacklisted, not their ISP. That's exactly as it should be. OTOH,
it is a huge problem to try to keep a current blacklist of all trojaned PC's
out of the couple hundred million dynamic IP's around.
without accreditation and reputation services, we can't tell
this guy/gal from a spammer.
If the IP matches "-all" you can trust that this is a spammer
or Murphy, and in both cases it isn't your problem, reject the
mail.
We certainly shouldn't provide a mechanism that trumps the
ISP's AUP.
Where do you see this in the "united" texts ?
http://spf.pobox.com/slides/unified%20spf/0429.html
It's their netblock, after all, and they're responsible for
its use.
In theory. But in practice we have comcast.blackholes.us :-(
That is a good thing.
The *nix users are IMHO not responsible for this mess, they
are innocent bystanders.
The operating system is not the issue at all, the type of connection is. If
you have a dynamic IP, you shouldn't be running an MTA because you cannot be
held accountable for what you send out. SPF is about sender accountability.
Dynamic IP's inherently have no accountability. The two simply don't mix.
People either need to get a static IP so they can be held accountable for
what they send out or use the ISP's smarthost and put up with the
restrictions. That's up to ISP's to enforce. My point was that we
shouldn't provide a mechanism for people on dynamic IP's to get around their
own ISP's reasonable restrictions on that type of service.
This could easily mean real money paid to large companies,
which is not what SPF is about.
Yes. TINSTAAFL, you don't get a reliable MX and a domain with
SPF and dynamic IP for free. If spammers abuse this kind of
setup, then that's something you can't solve with classic SPF:
Then classic SPF is broken and we need to fix it. The sole purpose of
classic SPF was to prevent envelope return-path forgeries. Either it does
or it doesn't.
There's no "I don't like this name server" function. You could
use MTAMARK or the corresponding part of the new "united SPF" to
block all dynamic IPs of ISPs supporting one of these schemes.
Dynamic IP blacklists are already incredibly useful. More and more
responsible ISP's are using them.
--
Seth Goodman