spf-discuss
[Top] [All Lists]

Re: SPF+SRS vs. BATV (was: SPF Stats)

2005-07-05 09:39:31
On Tue, 2005-07-05 at 12:23 -0400, Stuart D. Gathman wrote:
On Tue, 5 Jul 2005, David Woodhouse wrote:

Humour me... assume I were to set up a forwarding address
stuart(_at_)infradead(_dot_)org which was forwarded to you. What IP 
addresses would
you list for it? 

I wouldn't list any - and I would reject or discard email to it. 

That's neatly sidestepping the problem. Assume you're running an ISP and
I'm one of your customers. You have started using SPF so you've mailed
all your customers and told them that they have to whitelist their
forwarders if they don't want you to start throwing away their valid
mail. I'm calling your support line and asking you how to do it...

Or suppose you bought a domain from (...googles...)
http://www.yourdomainhost.com/ and used their email forwarding service.
What IP addresses would you list for _that_?

I would only purchase a forwarding service that at a minimum publishes
SPF with -all so that I would not have to list IPs. 

Sounds like you I'd be looking for a new ISP then, if you're going to
tell me I should do that.

 If the forwarding service does not implement SRS, then I would simply
use their SPF record to whitelist the forward:

  If RCPT TO == forward target and SPF fail, then 
    replace MAIL FROM with forwarded alias,
    accept mail if that passes

Which record? The set of hosts which they use for their own outgoing
mail from hostingco.com may bear no relation to the IP addresses used on
outgoing connections from their hosted servers.

Forget about the big picture for a second, and just think of SPF as
a way to publish what IPs you send mail from.  Makes answering
the question "what IP addresses" easy!

And that's fine for using as a _whitelist_.

No, I couldn't care less because I don't usually need to correspond with
people on ISPs that have no control over their forwards.  People and companies
with serious business to conduct via email generally have their own domain,
which they keep secured if they are competent, and SPF works just fine
for us.

You're being somewhat naïve here. A _lot_ of small and even quite large
but non-computer-orientated companies with serious business to conduct
have registered their own domain name, but are actually just having it
hosted by someone who forwards mail to the company's single dial-up ISP
account. That ISP has no control over their forwards. I pity the support
tech who has to answer the phone call when mail starts going missing,
and explain to a completely nontechnical user that they need to find out
all the IP addresses which their hosting company might use, and enter
them into a form on a web page somewhere.
 
It is the ISPs problem that they can't reject forgeries using SPF thanks
to their loose aliasing policies.  That means they have more crud to deal with
using other methods (e.g. AOL track IP reputation using user feedback).

The ISPs can't realistically change those aliasing policies. It is a
problem that even medium-sized mail providers can't use SPF, true -- but
to be honest it's more of a problem for SPF than for the ISP. There are
plenty of alternatives.

Anyway, I think we're going around in circles here. 

-- 
dwmw2


<Prev in Thread] Current Thread [Next in Thread>