wayne schreef:
Yes, you have every right to do whatever you want with your machine,
but senders have ever right to do whatever they want with their SPF
records. If publishing SPF records that result in Neutral causes
their email to be more likely to be rejected, then I think a lot of
domain owners will simply stop publishing SPF records.
So likewise, domain owners should not publish a SPF record which may
result in a 'softfail' either? That one has been in SA for a long time
now, and will (with version 3.0.3) score:
score SPF_SOFTFAIL 0.500 0.842 0.500 0.500
score SPF_HELO_SOFTFAIL 0 1.002 0 3.140
I don't think we should try to interfere what people will do with any
SPF result, it's beyond our control. Any result from SPF can and will be
used, there is no way to stop it and people better know this beforehand.
By punishing domain owners for having SPF records that can return
Neutral, you may get a short term gain in spam filtering, but you are
hurting us all in the long term.
In that case, we might just as well scrap 'softfail' and 'neutral' from
the SPF specification. Results which must not be used by the recipient
are useless and basically a waste of effort. Sorry, but that doesn't cut
it for me.
If your patch takes into account the different spamminess of different
domains that return Neutral and None, then your patch might be ok.
SA uses the Mail::SPF::Query plugin and as such only cares about the
final result of a query. I think this is a bit crude (a neutral result
from '?a:example.com' is much more specific tha '?all'), but that's the
way it is. The SPF specification doesn't tell they should be treated
different, depending on the place in the record where the hit occurs.
Trying to guess what a SPF publisher meant is a slippery slope.
If you lump domains that are just collecting usage data with their SPF
records in with everyone else, then this is really bad.
If one is only collecting data, without providing any clue for the
legitimacy of a message, I would consider that abuse. Gathering
statistics is not necessarily bad, but one should at least put the
'real' policies *after* the part where statistics are gathered so that a
recipient is rewarded for his work (parsing the SPF record).
Frankly speaking, any SPF record resulting in a 'neutral' result
('?all') for vast parts of IPv4 and IPv6 adress space is largely a waste
of effort at this moment, since it won't allow the receiver to reject
forged messages. The same would be true for 'softfail' ('~all'), but at
least the sender presumably is working towards a more restrictive policy.
It would be insane to reject mail on a 'neutral' score alone. But in a
scoring system (like SA) the occasional additional points gathered
should not be a problem for legitimate mail. As long as it doesn't score
on additional spamminess rules, there is no problem at all. For real
spam messages, it might be just the additional weight to tip the balance.
And for real ham messages, it might also be just enough to cause a
reject.
First of all I don't think there will be that many systems that are
running SA directly on their inbound mailservers (due to expensive
nature of SA). Not many MTA's will allow for an easy integration so that
it is possible to run SA before the DATA phase is over (I know there are
Milters available for Sendmail, so technically it is possible). Many
MTA's will first accept the message and then run SA. In that case a
reject is no longer possible.
Besides that, one rule scoring in SA will not very likely lead to
classifying a message as unwanted. I'm sure that the word VIAGRA in this
message will earn it some points, but I would be surprised if it the
message would be rejected somewhere.
Arjen