Frank Ellermann wrote:
I'd use frank(_dot_)ellermann(_at_)t-online, not nobody(_at_)xyzzy(_dot_) In
fact
the T-O server I use _fixes_ MAIL FROM and From whatever I say.
There it is!
T-Online does not allow vanity domains to use their MTA infrastructure.
Let's close this, T-Online is a non-issue. No mailers of theirs should
appear in anyone's SPF records. Period!
But they have other servers which accept what the user says -
not for my account, and I won't pay fo the liberty to use any
identity. For nobody(_at_)xyzzy it would be useless, that's only
a vanity host, and I can't add what I like to its SPF policy.
Perhaps you speak of "T-Online France - Club Internet".
club-internet.fr does publish SPF, and an inexpensive one:
"v=spf1 ip4:194.158.104.0/24 ip4:194.158.107.10/31 ip4:194.158.96.0/24
ip4:194.158.99.10/31 ip4:213.44.120.91 ?all"
t-online.fr also publish a nice SPF record:
"v=spf1 ip4:194.158.96.23 ip4:213.44.120.46/31 ip4:213.44.120.91 ?all"
Perhaps the German branch of T-Online will also publish, like their
subsidiaries do.
Please base your arguments on ISPs other than t-online.de.
Then replace it by another big IPS. And a sudden outbreak of
intelligence among ISPs is none of my assumptions. I'm still
stunned that RR was willing to simplify its SPF policy. That's
near to avant-garde. Any scheme depending on major worldwide
updates is by definition a FUSSP and never works. Hell freezes
before the likes of Wanadoo or SpamCast do something, let alone
the right thing. But SPF as it is works for those who want it,
let's _not_ try to pervert it into a FUSSP by new restrictions.
"Another" is not an ISP. Give me a name, not hand-waving.
Name one other big ISP that publishes SPF records.
How about aol.com, or verizon, or bellsouth, or earthlink ?
RR is willing to change, in fact they came to us. I think that shows
more than just willingness to make it work. I would not be surprised to
see the same willingness from others.
Of the ISP's listed at http://www.senderbase.org/search?page=domains
(This is where most of the world's email is coming from):
Out of 100 listed ISPs, 17% publish SPF. Their records look like so:
Queries # of domains:
01 5
02 4
03 1
04 1
05 2
07 2
10 1
12 1
verizon.net | 01-01 | 00-00 | 00-00 | 00-00 | 00-00 |
charter.com | 01-01 | 00-00 | 00-00 | 00-00 | 00-00 |
bellsouth.net | 01-01 | 00-00 | 00-00 | 00-00 | 00-00 |
inter.net.il | 01-01 | 00-00 | 00-00 | 00-00 | 00-00 |
earthlink.net | 01-01 | 00-00 | 00-00 | 00-00 | 00-00 |
telepac.pt | 02-02 | 01-01 | 00-00 | 00-00 | 00-00 |
aol.com | 01-02 | 00-00 | 00-01 | 00-00 | 00-00 |
theplanet.com | 02-02 | 01-01 | 00-00 | 00-00 | 00-00 |
blueyonder.co.uk | 02-02 | 00-00 | 00-00 | 01-01 | 00-00 |
adelphia.net | 03-03 | 00-00 | 00-00 | 01-01 | 01-01 |
gmail.com | 02-04 | 00-00 | 00-00 | 01-03 | 00-00 |
hotmail.com | 02-05 | 01-04 | 00-00 | 00-00 | 00-00 |
netcabo.pt | 01-05 | 00-04 | 00-00 | 00-00 | 00-00 |
rr.com | 01-07 | 00-00 | 00-00 | 00-05 | 00-01 |
tamsmtp.com | 03-07 | 00-01 | 00-00 | 01-03 | 01-02 |
emailebay.com | 03-10 | 01-08 | 00-00 | 00-00 | 01-01 |
ebay.com | 03-12 | 00-08 | 00-00 | 01-02 | 01-01 |
So Ebay will have to fix their records (they use a bunch a convoluted
record of recursive includes, each pointing to short lists of IPs
between 72 bytes and 165 bytes. they could spfcompile their records into
2 records or 408 bytes each. This would require 2 queries.
Then again, ebay is not an ISP, and will not allow your mail through
their servers, so if they publish 10-query records, it doesn't affect
any vanity domain's ability to publish SPF within the limit of 10.
rr.com has shown willingness to comply with limits. They may be willing
to spfcompile their records once the compiler is available.
I don't know about tamsmtp.
I also think it's unwise for you to assume the ISP's to be stupid. Ask
them to change, and then tell us about their response. Substantiate your
claims.
Hundreds of patent holders and FUSSP iventors only wait
for a stunt like this, and then kill SPF with a reason.
Explain why please?
They want SPF to fail, because they have a commercial FUSSP
doing something in the direction of "anti-spam" which is not
free. Or they have a commercial PKI where they could sell
certificates if only nobody finds a simpler scheme not based
on signatures / encryption. They work for MicroSoft, VeriSign,
Cisco, MAPS, Symantec, Brightmail, Maillabs and what else, and
these companies sell solutions, they generally don't distribute
them for free. "Anti-Spam" is an industry.
SPF is dangerously close to a lever to change this industry.
I hope that I'm not megalomaniac, but I think that SPF is the
last chance to save SMTP as it is.
Substantiate your claim. On what grounds would they attack an SPF that
is trying to be as efficient and inexpensive of a proposition as
possible, while doing so in an organized, researched and responsible manner?
On your list, Cisco, Symantec, Microsoft support SPF by publishing
records. Their records are short, except for Microsoft.
If SPF is weak enough to not sustain the propaganda of "competitors",
then it deserves to die. I'm not convinced that those players are
competitors though. They NEED or CAN USE SPF to make their solutions
more compelling.
Perhaps you've forgotten, SPF is not an anti-spam product, it is a
FRAMEWORK that enables other anti-spam product to be more accurate.
Your fears are unfounded as far as I can tell.
Maybe combined with an updated test suite, and a new reference
implementation. But if you have some text ready for a part of
this it's also fine. If you love the peculiar I-D format you
could use Wayne's XML as boilerplate. Or my XML attemtpt with
the op= modifier (less text to delete to get a boilerplate ;-)
I think first we need some agreement. It's easy to write a document.
By the way everyone got quiet seeing the truth of the numbers, I can
only guess that they are beginning to agree. But maybe they're taking
the weeked off.
It think it handles the "iburnu.com" worm quite poorly, to my
understanding. No-one has ever denied it, or had any
arguments against it.
That's the first time that I see "iburnu.com worm", is that
something I need to know if I'm only interested in a perfect
v=spf1 RfC ?
It is something you should be aware of it you plan on running an MTA
that checks SPF. The burden is put on the recipient. See:
http://www.gossamer-threads.com/lists/spf/discuss/17934#17902
BTW, the stuff about 512, UDP, DNS: I never checked all the
details, but it's some kind of compression with offsets and
lengths. If you have the same sequence of bytes in a DNS
reply, you can address it with a "near pointer" - very vague,
but maybe it explains why there's no precise limit.
No more handwaving, please!
Regards,
Radu.