Re: I hate to interrupt all this for something practical, but.... we nee

On Oct 27, 2004, at 23:13, Seth Goodman wrote:

> > From: guy
> > Sent: Wednesday, October 27, 2004 3:55 PM
> >
> >
> > For blocked port 25 systems..
> >
> > 2 issues:
> >
> > My ISP does not list the outgoing SMTP systems.  I and others had to send
> > test emails to generate the list.  We found 10 of them.  My ISP
> > does not do SPF yet. Your example is correct, but for me it was not easy.
>
> Guy is right about this.  Fortunately, there is a too called SenderBase
> maintained by IronPort that keeps track of the outgoing mail volume of most
> ISP's including lists of all their outgoing IP's.  This was the tool I had
> to use to figure out the outgoing MTA IP ranges used by my two providers.
> Both of them later verified the accuracy of the information, though there is
> no guarantee.  I think it would be worthwhile to include some instructions
> as to how to use this tool to accomplish the task.  Please don't tell me I
> just volunteered because I didn't.


OK. You didn't volunteer but you did raise a good practice we need to document. Basically, I was able to write the HOWTO because I was describing my own situation. (I don't have a blocked ports problem.) At minimum we could suggest include:ISP.net. 

To document the process of discovering your ISP's outbound MTAs will be a lot of work. For example, just trying to use SenderBase to determine the outbound MTAs for, say, Earthlink produces 198 entries. I doubt that we are going to be able to document how a SOHO user figures this out. Therefore, I think we need a different path than a HOWTO. Perhaps, work with the SenderBase folks to provide a record, say- include:earthlink.net.senderbase.org. Or if there are trademark issues- include:serialnumber.senderbase.org and have senderbase generate a serial number for each user that is unique to the user and their ISP on a web page. That way ISPs deal with the knowledgeable folks at IronPort. Or IronPort harvests this from the ISPs SPF record. Just like AOL wishes to use SPF to automatically manage its white list, IronPort could do the same. I bet it is trivial to set up using DJB's rbldns.



> > The "a:SMTP.ISP.net" tells the world to trust SMTP.ISP.net (since the
> > default is "+").  But this is not correct.  Everyone that has
> > access to the SMTP server can forge your email address.  You should use
> > "~a" which is neutral, but neutral is what you get if you have no SPF
> > record.  This is stupid.  I should be able to indicate my ISPs SMTP
> > servers can be trusted more than any other SMTP server on the Internet,
> > but I can't trust it 100%. So, I use +, which is wrong.  Oh, I have
> > read that some ISPs fail on neutral.  You could use "include:ISP.net"
> > if your ISP has SPF records. Still the same neutral issue.


As to Guy's comment, yes, he is right. Yet in the spirit of rebuffing the perfect as the enemy of the good, I would still suggest that it is better to put some bounds on who can forge your domain name versus no mechanism at all. At least with my proposal, you have a business relationship with the ISP. That should allow you to discuss and stop any abuse of your domain that originates from their server. This is much, much better than nothing.


Andrew

____________________________________
Andrew W. Donoho
awd(_at_)DDG(_dot_)com, PGP Key ID: 0x81D0F250
+1 (512) 453-6652 (o), +1 (512) 750-7596 (m)

PGP.sig
Description: PGP signature