Re: overall HELO FAIL


On Fri, 27 May 2005, Frank Ellermann wrote:

Hi, there's an interesting discussion about SPF in the
former MARID list http://dir.gmane.org/gmane.ietf.mxcomp

For a list that had 0 messages in the last 3 months, 50 messages injust one day is an interesting change of scenery.

Today the first serious problems with draft -01 were
detected:  Some people don't know that SPF offers HELO
tests.  Others know this, but have no clear idea what it
means, e.g. how to separate MAIL FROM identities from
HELO identities (and why that's unnecessary).


They are not serious problems with a draft, they are problem with
people not reading the draft and not being properly educated on
how SPF is supposed to be used.

Finally the result of the combination of MAIL FROM and
HELO tests is not generally understood, there was the
notion of testing MAIL FROM before HELO, or that a PASS
for MAIL FROM overrules a FAIL for HELO.


There should be no combination between these checks right now other
then spf special behavior of testing EHLO if MAILFROM is null.

The results of either one should be taken on its own and receiver should
not be required to test both MAILFROM and EHLO, it should be a choice as
to which identity or both it wants to check and how.

The "receiver policy" mantra has its limits.  E.g. if
folks like Carl Hutzler, Andy Newton, Terry Fielder, etc.,
who normally know "how stuff works" are confused,


Get away from receiver policy. A policy should be if you see this record
this is what it means, what identity it applies to and how its to be used.
But not that you necessarily have to use it or have to make reject/accept
policy choices in exactly the same way (i.e. receiver should be free to
decide to use SPF FAIL as part of larger policy system but not directly
reject on it if he does not want to).

Mandating receiver policy is btw a mistake being made by SID folks, lets
not try to imitate their stupidity.

At most we should make it a separate BCP-like document but its notsomething for immediate work and more testing of how SPF is best used

with participation and feedback from larger ISPs would be good if we
decide to formally write such a recommendation document.

---
William Leibzon, Elan Networks:
 mailto: william(_at_)elan(_dot_)net
Anti-Spam and Email Security Research Worksite:
 http://www.elan.net/~william/emailsecurity/

<Prev in Thread]	Current Thread	[Next in Thread>
Fwd [from ietf-mxcomp]: overall HELO FAIL, Julian Mehnle overall HELO FAIL, Frank Ellermann Re: overall HELO FAIL, Terry Fielder Re: overall HELO FAIL, Frank Ellermann Re: overall HELO FAIL, wayne Re: overall HELO FAIL, Frank Ellermann Re: overall HELO FAIL, Julian Mehnle Re: overall HELO FAIL, Stuart D. Gathman Re: overall HELO FAIL, Alex van den Bogaerdt Re: overall HELO FAIL, william(at)elan.net <= Re: overall HELO FAIL, Frank Ellermann Re: Re: overall HELO FAIL, wayne Re: overall HELO FAIL, Frank Ellermann Re: overall HELO FAIL, Julian Mehnle Re: overall HELO FAIL, Hector Santos Re: overall HELO FAIL, Dennis Willson Re: overall HELO FAIL, Ralf Doeblitz Re: overall HELO FAIL, Frank Ellermann Re: Re: overall HELO FAIL, Julian Mehnle reviews (was: overall HELO FAIL), Frank Ellermann