spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: spf entries for which hosts ???

2004-10-17 16:25:45
from [Greg Connor] [Permanent Link] 
--Commerco WebMaster <Webmaster(_at_)Commerco(_dot_)Net> wrote:


Meng,

At 03:44 PM 10/11/2004, you wrote:

On Mon, Oct 11, 2004 at 01:40:00PM -0600, Commerco WebMaster wrote:

.. snip my question, below part of your answer ..

There are two ways to report this information back to domain
owners: they can use an "exists" for logging, or they can
help develop a reporting syntax, eg. v=spf1 -all
report=postmaster+spf(_at_)%{d}


Thank you for this.  A more elegant solution than my original thought, as
you can specify a report return address.  Perhaps we might want to add a
report=NULL option or something like it to specially inform the requester
explicitly that they should not send a bounce message for authentication
failed SPF events.

The original reason I asked about this was that we are seeing some well
known AV software sending bounce messages on forged spam sent out with
one or two of our names lately, so I am hopeful they will adopt SPF in
their software to avoid these bounces and not deliver bogus "from"
messages.  As I thought about that, my mind went to evidence gathering
and having an ability to have the spammed hosts's AV software report the
identity theft abuse back to me anyway, even given published SPF records
and not just in a 550 condition.  Although, sending back information on
deliverable messages to the abused domain owner might be a very bad idea,
as I could easily envision spammers using that as a mighty fine tool for
address verification.  Still, I think that the ability to control
reporting of undeliverable bounce messages that fail SPF is a nice
capability.

In the reporting syntax, may we also presume that if the 'report=' part
is not included in the SPF TXT record, the correct behavior would be to
drop the message and not report the abuse back to the abused domain owner
via a '<>' delivery bounce return?  If so, then the report=NULL option I
suggested above is redundant.
I think that you might be conflating the two concepts, of reporting to the domain owner vs. bouncing or rejecting the message. (I apologize if I misunderstood you -- if the following is not at all relevant you may ignore :)
If a message is really forged, the best possible case is to not accept it: reject it during the initial transaction. If you don't reply 2xx to DATA then you haven't officially accepted the message and you don't have to do anything to report the failure other than closing the connection.
If you have accepted the message and then later figure out by SPF that it's a forgery, well, you poor bastard. Following traditional email practices, you would need to send a bounce message to the original sender. There is no rule that says you shouldn't. Traditional (i.e. old) wisdom is that it's better to notify someone of the bounce than to drop mail on the floor. Some might say that if you can prove using SPF that it was a forgery that maybe you shouldn't send the bounce. More and more people are starting to complain about "accept-then-bounce" aka. "blowback" and many hard-core anti-spam folks will block servers that bounce forged messages too much. There's no hard and fast rule, but most, probably all email server operators would agree that it's much much much better if you can arrange to just not accept the forged message in the first place.
Now... neither of the above have to do with report= and here is why. If a message is rejected due to SPF, it's likely to be a forgery, and in that case, the domain owner and the sending server are probably not the same. So by rejecting the message during the initial connection, you have made it the sending server's problem to deal with, but it's likely that the REAL domain owner has no way of knowing that the attempt was made and failed. He has no way of knowing that his domain is being used, abused, or possibly even being prevented from sending something he wanted to send but hasn't properly configured (like sending from a hotel or something).
Normally you would not go to the effort of notifying the (real) domain owner that the (unauthorized) mail server just tried to do something and failed. report= and exists:+logging are two possible ways to get around that and alert the real owner of the domain that something fishy is going on, and SPF is probably working correctly (but if he really meant to send something he should examine his SPF record)
So. I would recommend to set your site's policy regarding "bounces" totally separately from SPF report= parameter. If you can manage it, reject the messages up-front rather than accepting and then having to choose between a "blowback" bounce and dropping to a black hole. Rejecting up-front makes it the problem of the sending server (which might send a bounce anyway but that's for them to decide -- if it's a direct spammer or virus it will just move on to the next target anyway). 

--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: It's published!, Frank Ellermann
Next by Date:  Re: Re: When did we lose control?, wayne
Previous by Thread:  Re: spf entries for which hosts ???, Commerco WebMaster
Next by Thread:  RE: spf entries for which hosts ???, guy
Indexes:  [Date] [Thread] [Top] [All Lists]