On 11/18/04 10:44 AM, "wayne" <wayne(_at_)midwestcs(_dot_)com> wrote:
Now, the folks involved with CSV (Dave C, John L, Doug O, etc.) claim
that checking the HELO domain against SPF records isn't as good as
doing CSV checks.
...
Can you explain the difference to me?
Is this difference significant enough to justify having all your
whitelisted domains implement two very similar systems?...
I'm going to try to keep this in the realm of "compare SPF to CSV for this
purpose" and stay away from the "Is CSV good or bad" side of things. Keep
me honest ok? :)
My opinion is: No, for the purposes of whitelisting, SPF and CSV work
similarly.
My understanding of whitelisting:
Quickly determine if the IP of the client goes with the HELO name
Quickly determine if a name is on the OK list
Manage the list of allowed names easily (e.g. by domain suffix)
My understanding of CSV as it relates to whitelisting:
Can determine if the IP of the client goes with the HELO name
My understanding of SPF as it relates to whitelisting:
Can determine if the IP of the client goes with the HELO name
CSV's proponents have made the point that since CSV has a much more limited
application (i.e. it *only* does HELO name::ip correlation) that this
therefore means it is inherently better for the applications it does
support. The argument goes something like, since it only does that one
job, it's easier to configure for that, and less likely to give you
confusion and heartburn by having other features as well. I don't quite
buy this line of reasoning, but perhaps I'm not understanding it completely.
--Matthew Elvey <matthew(_at_)elvey(_dot_)com> wrote:
Here are some simple explanations of why checking the HELO domain against
SPF records isn't as good as doing CSV checks.
This coming from someone who thinks it's a good idea to try (and thinks
he came up with the idea) but recognizes it has weaknesses, which I've
attempted to address a long time ago in this thread. I believe
standardizations I suggested address most but not all of them.
I would totally agree with you here. I think it's to everyone's advantage
to try. If it works as well (or mostly as well) everyone wins.
I. Surely, you understand that the SPF record discovery algorithm is
inherently less efficient/more costly than CSV's. That's obvious, no?
How many DNS queries does it take to resolve elvey.com's SPF record to a
list of IPs? A dozen or so?
This line of reasoning (IMO) breaks down to something like:
CSV is simpler because it has fewer moving parts (some might say "fewer
features")
You need a way to associate names to IPs for your HELO name
As simple as you need, but no simpler.
Good argument, but it hinges on a fourth crucial point:
User wants HELO name protected, and nothing else.
That is, if you want whitelisting for your HELO name and you DON'T want
MAIL FROM protection or any other SPF features, you implementr CSV and
don't implement SPF and it's a simpler solution. Less moving parts.
On the other hand, if you want MAIL FROM or any other SPF features, you
will want to implement SPF, not SPF and also CSV. Meaning that if you
believe that simplicity and fewer moving parts is of paramount importance,
CSV is your thing. If you want the other features too, SPF is your thing.
The trouble is that it isn't a decision you can make by just shopping for
the right thing for your needs, like you can with shrinkwrapped software.
It's all about interoperability, so as a big player you need to decide
which protocol serves most of the needs of most of the people the best.
I submit that simplicity is not the paramount issue when dealing with
protocols. A wide variety of users will want a wide variety of features.
II. Here are some simple, concrete examples of where checking the HELO
domain against SPF records isn't as good as doing CSV checks.
1)The
domain owner used an SPF wizard (M$' or pobox's) to create an SPF record.
The wizards are buggy. They don't take steps to ensure that the owner
creates an SPF record that will match the HELO domains his servers use.
I would agree that this is true. I think it's easy to fix, once more
people get interested in whitelisting by HELO name.
2)The SPF record contains ?all, or ?ip4:. We need a standard that
defines whether these should be ignored. (IMO, yes)
I don't see how ?mechanism: is a problem. CSV has an "unknown" mode too,
correct? Is it the unknown mode in general that's the issue, or that you
think the rules should be different when looking for a HELO match?
3)The SPF record contains +all. We need a standard that defines whether
this should be ignored. (IMO, yes)
4)The SPF record contains +63.0.0.0/5, or +63.0.0.0/8, or +63.0.0.0/16
or +63.0.0.0/24. We need a standard that defines whether these should be
ignored. (discussed earlier in this thread.) 5) Because of issues such
as 1-4, and others, a CSV record is more amenable to being the basis of
accreditation and reputation.
What? I don't get it, probably for the same reasons as #2...?
III. SPF provides no mechanism for determining how to determine a
domain's reputation. CSV does.
Wait a second, I didn't see that in the draft I read. Anyway I'm confining
myself to whitelisting right now, not reputation.
Note, there are other *important* differences (SPF checks against HELO
are inherently much more vulnerable to DNS security attacks than CSV;
I don't personally think this is actually true, but for the sake of
argument I'll concede that it might be true. Not the most important factor
by a long shot, but might be true.
the meaning of "checking the HELO domain against SPF records" is vague;
It needn't be. If we decide to use SPF HELO as a criteria for
whitelisting, then the maintainer of the list can add only those domains
that the domain owner indicate are going to be used in the agreed-on
fashion. For example they would probably not want to whitelist
*.example.net, but they might want to whitelist *.outmx.example.net instead.
The "meaning" of the SPF check itself is an assertion that the use of X
name by Y IP is allowed. CSV has the added assertion that "using this IP
as an SMTP client is OK per the domain owner". SPF has the added assertion
that "this IP is allowed to use the name as HELO or MAIL FROM". Any
additional subjective meaning (like what the domain owner agrees to by
submitting his domain to the whitelist owner) is not covered by either.
a
CSV record is more amenable to being the basis of accreditation and
reputation ...)
This is either begging the question (A because A) or there is some
information implied but missing. Is CSV inherently better for
accreditation because it doesn't have extra modifiers like "accredit="?
IMO, a relatively readable explanation of some of these
objections and more can be found at:
http://www.csvmail.org/email-authentication-summit-comments-P044411.pdf ,
but it's not as clear as I. - III.
I will take a look at that.
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>