spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Using best-guess

2004-12-21 22:04:09
from [Greg Connor] [Permanent Link] 
...... Original Message .......
On Mon, 20 Dec 2004 21:22:56 -0500 Meng Weng Wong
<mengwong(_at_)dumbo(_dot_)pobox(_dot_)com> wrote:

On Mon, Dec 20, 2004 at 04:52:07PM -0500, Stuart D. Gathman wrote:
|
| There was a proposal for a "zone-cut" default mechanism for SPF clients,
| but it is not widely implemented.
|

it might be easier to implement the default suggested by
gconnor:

if the host has an MX record but no SPF record, use
best_guess "a/24 mx/24 ptr".

if the host has an A record but no MX record and no SPF
record, use best_guess "a/24".

Defining these defaults into the spec would have the effect
of correctly taking care of a majority of cases; only those
cases which are not already correctly described by the above
would have to publish records.


--Scott Kitterman <spf2(_at_)kitterman(_dot_)com> wrote:

I would suggest that best guess records should produce a NEUTRAL result
if  they match.  Best guess is a good way to reject lots of obvious
forgeries,  but probably a poor way to establish authorization.

I'm thinking no one should have their reputation suffer or end up on a
RHSBL because of a best guess match.
Scott- I agree with the concerns. "Best guess" doesn't mean "accountable" because the domain owner has made no statement authorizing any MTA to send the mail.
I submit that "best guess" is still a great tool for implementing a receiver policy. It's basically a way for receivers to comb through large amounts of mail looking for "probably not forged". It should not be used in all the contexts that an SPF PASS might be (such as sticking your domain on an RHSBL).
I don't think I would want "best guess" to be an official part of the spec. It really should be its own document, like a "best practices statement". Some real-world data from large-scale receivers would back this up nicely.
Note that best-guess doesn't have an -all at the end, so ?all is assumed. That means if we use neutral for the rest of the record as well (?a/24 ?mx/24 ?ptr) it ends up being pretty much a noop.
The real trick will be to use it to get a PASS result when the sender is "almost certainly under the same management as the domain" - but that we should be careful to mark the result as "No SPF - Using best guess". (I'm assuming if you were going to use SPF results to add spammer domains to an RHSBL that you would require some sort of trace/audit header like Received-SPF: so this is probably a good place to record that info.)
Who knows, depending on the purpose of the RHSBL, perhaps I would want the spam-from-best-guess-mailer to be listed as well. Either that or I would have two RHSBL's, one would be "Known spammer domains" and the other would be "Spam from Best Guess" - that way you can at least quit applying Best Guess to those domains that spam would otherwise get in.
Question for anyone familiar with the various SPF plugins and libraries - which ones do or don't implement "best guess", and how do they record a Pass result? Is best guess Pass logged differently from regular SPF Pass?
Also, question for anyone who has used the Best Guess feature in a large scale receiving environment - does Best Guess give you a notable increase in Pass results received? How do you use the resulting data? 
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Difficulties in specifying SPF TXT records for all A records., Scott Kitterman
Next by Date:  thoughts on disruptive innovation as synthesis between incumbent and startup, Meng Weng Wong
Previous by Thread:  Re: Difficulties in specifying SPF TXT records for all A records., Scott Kitterman
Next by Thread:  Re: Using best-guess, jpinkerton
Indexes:  [Date] [Thread] [Top] [All Lists]