-----Original Message-----
From: Richard Parker [mailto:richard(_at_)electrophobia(_dot_)com]
Sent: Tuesday, August 09, 2005 6:54 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Validator Testing Request
On Aug 9, 2005, at 3:18 AM, Alex van den Bogaerdt wrote:
... a name ending in "cox.net", and why do you allow all of them to
send mail on your behalf ?
Cox does not currently publish an SPF record nor does it publish a
list of their outgoing mail servers, so ptr:cox.net stands in rough
proxy for include:cox.net.
And a very dangerous one too. As it stands, it is trivial for any zombied
box on the Cox network to get an SPF pass for your domain.
First, and without delay, change ptr:cox.net to ?ptr:cox.net. That will
achieve the goal of matching something before the all without giving all the
zombies a pass.
Second, you can do better. For quite some time, I was in the same
situation, but with Comcast. What I did (in cooperation with other list
members also on Comcast) was manually inspect a signicant number of e-mails
to see what IP addresses they came from and then created an analogue for a
Comcast SPF record that I put in my record. It was (and this is a year old.
It's shown as an example only - people should not use this):
?ip4:204.127.202.0/24 ?ip4:204.127.198.0/24 ?ip4:216.148.227.0/24
?ip4:63.240.76.0/24
As an example, the message I am replying from came from fed1rmmtao08.cox.net
[68.230.241.31]. That is best represented as ?ip4:68.230.241.31 it should
still be Neutral because of the risks of cross-user forgery:
http://www.schlitt.net/spf/spf_classic/draft-schlitt-spf-classic-02.html#cro
ss-user-forgery
Not only is this type of approach much tighter, it's also MUCH easier on DNS
and more reliable than PTR.
Scott K