spf-discuss
[Top] [All Lists]

Re: Re: Please Don't Reject SPF NEUTRAL

2004-09-23 18:36:00
...... Original Message .......
On Fri, 24 Sep 2004 01:59:11 +0200 Frank Ellermann 
<nobody(_at_)xyzzy(_dot_)claranet(_dot_)de> wrote:
Scott Kitterman wrote:

My concern is not so much with today, but once RHSBLs get
going, the risk becomes much greater.  While the ISP might
fix the problem very quickly and cancel the other guy's
account, I may be stuck on a RHSBL and until I fix that,
my e-mail can't be delivered.

That could be a problem, but from my POV as user it's already
reality.  Sometimes I had to use "the other mail provider",
because the first somehow made it on a BL (it wasn't me ;-)

In some cases I could fix it without asking the postmaster,
but with a SORBS 127.0.0.6 I was really forced to use the
other MSA.  Fortunately my main provider now blocks all worms,
and I don't have many reasons to communicate with abuse desks
all over the world.

Right.  But getting stuck on a RHSBL would be much worse.  It wouldn't 
matter what MSA you used.  Your mail would still be blocked.  Today at 
least you can switch to a backup MSA from a different IP.

If an MSA submits spam, shouldn't they be the one that gets shut down.  
They accepted the message for submission.

What does and SPF PASS really buy me?

Good question.  Not too much, maybe the feeling that spammers
have to pay to get a PASS if they want it.  The important SPF
result is a FAIL, that's what I want to get if somebody forges
my subdomain. 

The major point of SPF (for me anyway) is the -all

Yes.  IIRC we had a similar discussion about "SOFTPASS", the
SPF PASS is only a "SOFTPASS", and you would like to have a
"HARDPASS", if you're sure that no other client of the same
ISP can forge your domain.

Yes.  I've adapted to the current situation by putting "?" in my records 
where cross customer forgery could happen.

Now after MARID dropped the ball we're in theory free to add
a "HARDPASS", but I'm already unhappy with SOFTFAIL and exp=.

SPF is really complex, I'd prefer simplifications instead of
adding more features.  I'm one of these KISS fans, I simply
don't get it why a receiver should want to evaluate a sender
policy if he can't "win" something (= FAIL).  And I don't get
it why he should display weird explanations of 3rd parties.

Agree totally that we should take advantage of any reasonsble 
simplifications we can find.

That's an idea for protocol-03, the exp= section could stress
that a sender policy with exp= but no chance for a "-" (FAIL)
is on the border to abusive.
                              Bye, Frank

We also need to make the wizards better so novices don't make overly 
complex or optomistic records.

Scott Kitterman


<Prev in Thread] Current Thread [Next in Thread>