spf-discuss
[Top] [All Lists]

RE: Time to start rejecting on neutral?

2005-05-17 07:46:02
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Arjen 
de Korte
Sent: Tuesday, May 17, 2005 8:30 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Time to start rejecting on neutral?



Either that, or you switch to a provider that doesn't allow
cross-customer forgery.
The only problen is that there are none or virtually none of those.

Aren't the worries about cross-customer forgery a little bit academic?

For shared (and properly administered!) MTA's, I think an SPF 'pass' would
be closer to reality than a 'neutral' response (even if cross-customer
forgery can't be ruled out). Another customer who is abusing your domain
could be tracked down with no problem at all. If you don't trust the
administrator of this MTA to quickly terminate said (ab)users account upon
notification of this, you really need to find another one.

The only place where I consider a neutral response useful is in '?all',
where it has become (like people already predicted) almost an invitation
for spammers to abuse that domain. I agree with the people suggesting that
'softfail' and 'neutral' should be considered 'temporary' results and that
administrators should work towards a clear 'pass' or 'fail'.

Yes and no.

I do trust the operators of the MTAs that I use to terminate anyone that
forges me.  For today, that's probably good enough.  The real problem is
when people start to try and leverage SPF anti-forgery results into domain
based blacklists or reputation systems as suggested on the spf.pobox.com web
site:

http://spf.pobox.com/faq.html#churn

Once your reputation is trashed or your domain is blacklisted, how do you
get that fixed?

The hazards of cross-customer forgery for the deliverability of my e-mail
are today somewhat theoretical, but they are definitely coming....

Scott K