spf-discuss
[Top] [All Lists]

Re: Time to start rejecting on neutral?

2005-05-17 07:32:39

----- Original Message -----
From: "Alex van den Bogaerdt" <alex(_at_)ergens(_dot_)op(_dot_)het(_dot_)net>
Newsgroups: spf.-.sender.policy.framework.discussion
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Tuesday, May 17, 2005 8:35 AM
Subject: Re: [spf-discuss] Time to start rejecting on neutral?

If someone wants to use "v=spf1 ?a:example.com -all", that's
fine with me.  Should a user of example.com forge email, then
this user can be tracked much more easily than a random
user somewhere included in "-all".

This is a valid policy:  Let me handle abuse at example.com and
do not trust the rest of the world.

I agree and disagree :-)

While I think this is "valid policy" it has to be time limited.

When you say "me"  do you mean the domain holder or the server?

This is important because of a server is enduring continued example.com mail
with neutral/softfail results, then the burden of handling abuse at
example.com is now on the  server, not you.  You have essentially pass on
the responsibility to everyone else to "scratch" their heads about
example.com.

What is interesting about this specific sample of a policy is the idea that
an intelligent SPF parser can perform a pre-rule interpretation to see if
the FINAL result is a FAIL before it begins checking each directive.   This
tells the servers:

        'This site has a final strong policy but is still working with
specific
         related domains."

In such a case, the SPF server can be more tolerant.  But do we really want
to go into this?   I don't think so because a spammer can exploit this too.

    "v=spf1 ?a:spammer-example.com -all"

and the server always send mail with the email domain: spammer-example.com

In short, we need to get away from the client defining the rules of the
game.  SPF should be about a strong policy system.  When we began to relax
these policies, then we get back to the original problems we have with SMTP
relaxed policies.  We are back to square one when every spammer uses a
relaxed policy.

At the very least, we need to put some level of restrictions so if indeed it
gets to the abusive level, the server has some control of it.

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com









<Prev in Thread] Current Thread [Next in Thread>