spf-discuss
[Top] [All Lists]

Re: Border Appliances

2005-07-01 01:30:14

From: "Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com>

I'm not talking about *my* users.  I'm talking about some other
mail admin's users that want to send my users mail.

No I understood.  Right, Anonymous Final Destination (AFD) mail behavior
where you don't have to authorize the sender to submit mail to your local
users - the #1 loophole in SMTP. <g>

What's your experience on the feedback on this?

The DSNs are mostly ignored.  But I have gotten several replies
from mail admins thanking me for the info.  The problem is that
users rarely inform the mail admin of the DSN.  And I don't feel
right about spamming postmaster with every DSN intended for
one of their users.

Ok, thanks for this feedback.  Right,  reporting stuff of this nature would
need to be done in a professional manner to the sysop, but as a group/domain
policy issue. For example, you might consider just sending the first time
the domain is tried on your system.  You are going to get the relaxed result
for all users, so it should be done as a group/domain policy.

But you done some form of reporting, I have not.  Good feedback. You got my
interest in pushing this work agenda up.

Do you see some changing?

Yes.  One admin told me he had been wanting to setup SMTP AUTH to
improve security, but hadn't had a kick in the butt.  The DSNs were just
what
he needed.  He hadn't heard about SPF, and published after setting his
roaming users up with SMTP AUTH.

Good stuff.

Do you expire them? after so many months?

No.  But if the forged spam (allegedly) from the domain exceeds the limit,
relaxed results are no longer accepted.

Neat.  I say, this is excellent material for a ESFP draft. :-)

You should document this implementation for relaxed provisions.  Seriously,
people are going to getting to get to this position as SPF grows.  No doubt,
the SPF domains checks and rejects have grown from a +0.0% to a near 1.5%
now in recent months.  Its definitely growing and my CBV call back on
relaxed results are catching the bad user local user names at the domains.

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com






<Prev in Thread] Current Thread [Next in Thread>