On Tue, 6 Jul 2004 14:00:37 -0500, Seth Goodman: wrote in :
From: Frank Ellermann
Seth Goodman wrote:
I don't see why we should help anyone sending mail from a
dynamic IP. _Most_ people on dynamic IP's are not capable
of running MTA's.
This "most" doesn't include users with a reliable MX (static
IP), and a say DynDNS domain with "v=spf1 +a +mx -all" policy.
I specifically said the problem was with dynamic IP's as you've
quoted me
above. Of course this does not include static IP's.
IMHO any email from a dynamic IP is HIGHLY suspect, and I will
do whatever I can to reject it, SPF or not, it's my privledge
as the receiver after all. Aside from the issues of zombies etc,
no SPF record can be sufficently accurate on a moving target IP
address, many (caching) DNS implementations override
unreasonably short TTLs of DYNDNS type records, which will lead
to rejections of email from a domain by up to a day based on
their own (cached) SPF records.
Meng and myself has disagreed in the past on this list over the
MTAMARK=No being overridden by "valid" SPF records, I still
think there is no point in using MTAMARK, if it can be
overridden, it's bit like me having a 6 inch bar instead of a
door on my house (sorry I don't do NRA analogies, like a Colt
45 against a T-shirt saying "bullets not welcome")
That's not the typical trojaned zombie setup, and in theory
it could work. In practice there are some problems, but that
has nothing to do with classic SPF. I'm not sure about the
"united SPF" beast including some kind of MTAMARK.
That's right. I was specifically talking about dynamic IP's.
People with
static IP's can run their own mailers at most ISP's, and if
they screw up,
they get blacklisted, not their ISP. That's exactly as it
should be. OTOH,
it is a huge problem to try to keep a current blacklist of all
trojaned PC's
out of the couple hundred million dynamic IP's around.
A particular problem, since these trojaned PC's keep changing
IP addresses, so anyone trying to MX subsequently from a
previously zombied IP has even higher odds of getting rejected
from their dynamic moving target.
<snip>
We certainly shouldn't provide a mechanism that trumps the
ISP's AUP.
Where do you see this in the "united" texts ?
http://spf.pobox.com/slides/unified%20spf/0429.html
It's their netblock, after all, and they're responsible for
its use.
In theory. But in practice we have comcast.blackholes.us :-(
That is a good thing.
The *nix users are IMHO not responsible for this mess, they
are innocent bystanders.
The operating system is not the issue at all, the type of
connection is. If
you have a dynamic IP, you shouldn't be running an MTA because
you cannot be
held accountable for what you send out. SPF is about sender
accountability.
Dynamic IP's inherently have no accountability. The two simply
don't mix.
People either need to get a static IP so they can be held
accountable for
what they send out or use the ISP's smarthost and put up with the
restrictions. That's up to ISP's to enforce. My point was that we
shouldn't provide a mechanism for people on dynamic IP's to get
around their
own ISP's reasonable restrictions on that type of service.
I'm with you on this Seth, as I have noted above, If a
MTAMARK=No is not effective, then MTAMARK is pointless.
This could easily mean real money paid to large companies,
which is not what SPF is about.
Yes. TINSTAAFL, you don't get a reliable MX and a domain with
SPF and dynamic IP for free. If spammers abuse this kind of
setup, then that's something you can't solve with classic SPF:
Then classic SPF is broken and we need to fix it. The sole purpose of
classic SPF was to prevent envelope return-path forgeries.
Either it does
or it doesn't.
I thought Seth's original comment was about not making SPF a
system that makes reputaton companies (of which there can be
few or less) rich. Better a system (secured trustworthy managed
MTA) that costs about the same, but for which there can be an
almost unlimited number of suppliers.
There's no "I don't like this name server" function. You could
use MTAMARK or the corresponding part of the new "united SPF" to
block all dynamic IPs of ISPs supporting one of these schemes.
MTAMARK will not provide this for reason stated above, so we
will carry on using blacklists (and code to identify IP encoded
RDNS & HELO's) instead, it won't be consistent and standard,
but it gives the effect recievers require.
Dynamic IP blacklists are already incredibly useful. More and more
responsible ISP's are using them.
They kill most of my spam, what does get through is either from
China, Brazil, or an IP which is obviously dynamic but not
listed. On average only one spam a day gets through, though
200-300 get the 550 treatment for various reasons. so far I
have resisted country blocks, since the numbers are slow low
after filtering, I can live with a few spams a day.