From: guy
Sent: Wednesday, October 27, 2004 3:55 PM
For blocked port 25 systems..
2 issues:
My ISP does not list the outgoing SMTP systems. I and others had to send
test emails to generate the list. We found 10 of them. My ISP
does not do SPF yet. Your example is correct, but for me it was not easy.
Guy is right about this. Fortunately, there is a too called SenderBase
maintained by IronPort that keeps track of the outgoing mail volume of most
ISP's including lists of all their outgoing IP's. This was the tool I had
to use to figure out the outgoing MTA IP ranges used by my two providers.
Both of them later verified the accuracy of the information, though there is
no guarantee. I think it would be worthwhile to include some instructions
as to how to use this tool to accomplish the task. Please don't tell me I
just volunteered because I didn't.
The "a:SMTP.ISP.net" tells the world to trust SMTP.ISP.net (since the
default is "+"). But this is not correct. Everyone that has
access to the SMTP server can forge your email address. You should use
"~a" which is neutral, but neutral is what you get if you have no SPF
record. This is stupid. I should be able to indicate my ISPs SMTP
servers can be trusted more than any other SMTP server on the Internet,
but I can't trust it 100%. So, I use +, which is wrong. Oh, I have
read that some ISPs fail on neutral. You could use "include:ISP.net"
if your ISP has SPF records. Still the same neutral issue.
Guy is right again. Guy is always right. Don't you just hate that? :-)
The smtp.ISP.net address is the MSA and is typically reachable only from
inside of the ISP's network, i.e. its other customers. Depending on the
size of the ISP, the outgoing MTA's that recipients see will instead be the
outward-facing MTA's, which normally have different IP address. Small
providers may have the MSA and MTA as part of the same piece of hardware,
sometimes sharing the same IP address, so you actually have to check to see
what IP addresses others see on your email. That is where SenderBase comes
in handy.
Another problem for the SOHO user, at least in the U.S., is that some of the
cable and telephone company broadband providers have networks that are so
extensive, it is very difficult for an ordinary person to get the
information needed for an SPF record. You literally have to hound technical
support for up to several hours explaining what you want and why you need it
to actually get the information. As often as not, they will not be able to
help you, simply because they have no idea themselves. It is largely a
problem of inertia. There are actually network maps for all of these
companies, the problem is that the average tech service employee has never
had to dig up this kind of information and it is not readily available to
them. In the past, no one cared what fifteen possible servers their email
might leave the network through. This is probably best addressed by a
liaison individual to work with each particular mega-provider to educate
them as to what their customers will be asking for and why they need it.
Meng has been doing this largely by himself, but the landscape is too big
for him to cover alone. I would be willing to jawbone some of these folks
if anyone can provide the appropriate contacts. We would need a contact who
can listen to a sales pitch and make decisions for their organization, not a
typical help-desk person, even if they have great technical skills. If
anyone has contacts and wants to run with it themselves, you know what
people will need. Maybe we can help them develop include records that will
cover large groups of customers so they can give their customers an easy,
less technical solution, though it requires on more DNS query (grrrr).
--
Seth Goodman