spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: spf

2005-04-14 15:12:39
from [Mark Shewmaker] [Permanent Link] 
On Thu, Apr 14, 2005 at 04:31:30PM -0400, Andrew Gutkowski wrote:

I will look into possibly listening on an additional port with our smtp
server.  I am not aware of a way to do this currently.  For now, I have
removed our spf records as we have no other options at this time.  


You needn't remove your spf record; you could simply change the ending
"-all" to an "?all" for the time being.  That would mean that internal
mail can get an spf PASS, but externally-sent mail (valid or not), would
get a NEUTRAL result.

(You could add another layer of complication by putting a "-exists:"
macro before the final "?all", and arrange for that macro to match with
certain email addresses.  That would mean that "MAIL FROM
postmaster(_at_)college(_dot_)com", for instance, would always result in an spf
FAIL when sent from outside the network.  It's probably easier just to
fix your mailserver though.)


What are other corporations and institutions who use GroupWise doing
for this?


I can't talk for those other corporations and institutions, but if your
institution wants to resolve the problem, I am sure there are
consultants on this list who would be happy to talk with you about
upgrading your external mail servers, or adding a better mailserver as
your external interface to the Internet.  :-)


There are 35 million people running GroupWise.  If this
doesn't work with GroupWise, how is spf going to be effective?


It's quite simple.

As more groups with properly-functioning mailservers publish SPF
records, forgers will start to concentrate on the domains that don't
publish SPF records that end with "-all".

Whether the domain owners don't publish because they don't know about
SPF, or whether they don't publish because they are using substandard
mailservers, (sorry), more and more *those* domains are the domains that
will be forged.

As the domains that those 35 million GroupWise accounts are on become
more commonly forged, those domains will get worse and worse reputations,
and more and more often mail from those domains will be rejected.

(I'm assuming that domain-name-based block lists will spring up.)

To me that's very effective--domains that allow forgeries become slowly
cut off from the mail system.  IMHO, that's as it should be--I don't
want to accept mail from a domain if most of the mail from that domain
is a forgery!

Over time, owners of mailsystems that allow for these sorts of forgeries
are going to want to fix this problem with their systems, just as most
owners of mailsystems years ago decided to fix their open relays.

-- 
Mark Shewmaker
mark(_at_)primefactor(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: DNS Loading Comparison, Frank Ellermann
Next by Date:  Re: spf, Alex van den Bogaerdt
Previous by Thread:  Re: spf, Roger B.A. Klorese
Next by Thread:  Re: spf, Alex van den Bogaerdt
Indexes:  [Date] [Thread] [Top] [All Lists]