I've been saying since day one, that SPF attempts to block the loopholes in
SMTP by introducing new loopholes.
The whole idea of NEUTRAL and SOFTFAIL or "relaxed provisions" as I called
it was flawed. In my strong technical design opinion, it is a MAJOR
loophole in the SPF specification.
Yet, I understood the migration reasons. My suggestion was to make it TIME
LIMITED.
In other words, a server should record the first time usage of SPF relaxed
results and only allow it to be used for default X time period per
specification, maybe 4, 5, 6 months or whatever the community feels is a
good default value. But the server ultimately should be allowed to decided
how long a client can use a relaxed provision against the server.
In short, a relaxed SPF domain policy should not be a FOREVER policy. It
needs to be time limited at a minimum. A network should be given the time
to migrate, but eventually they need to get off their butts and finish the
job of securing their network.
I've been saying this since day one.
PS:
Is Santronics the only commercial company using SPF directly at the SMTP
product level?
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
----- Original Message -----
From: "Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com>
Newsgroups: spf.-.sender.policy.framework.discussion
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Monday, May 16, 2005 3:09 PM
Subject: [spf-discuss] Time to start rejecting on neutral?
We (and our customers) have been bombarded by a boatload of German spam.
One characteristic of this spam is that the (forged) MAIL FROM is always a
domain with an SPF record that returns NEUTRAL for the zombies IP. It is
as if the zombie program screens potential forged MAIL FROMs to ensure
that they have an SPF record and won't get a FAIL.
I already reject NEUTRAL for commonly forged domains (e.g. aol.com), but
this new attack may lead to rejecting NEUTRAL results across the board.
Comments? (Other than noting that the draft RFC says NEUTRAL MUST BE
treated the same as NONE. My MTA, my rules.)
Oh, ironically, the most popular forged domain with a NEUTRAL result
is pobox.com. :-) Apparently, pobox.com redirects to a user specific
SPF record. So all a spammer has to do is sign up, create an
SPF record for their account of 'v=spf1 ?all', and spam away with
a mail from domain of pobox.com.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com