spf-discuss
[Top] [All Lists]

RE: Validator Testing Request

2005-08-09 12:18:42
-----Original Message-----
From: Richard Parker [mailto:richard(_at_)electrophobia(_dot_)com]
Sent: Tuesday, August 09, 2005 2:45 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Validator Testing Request


On Aug 9, 2005, at 5:42 AM, Scott Kitterman wrote:
First, and without delay, change ptr:cox.net to ?ptr:cox.net.  That
will
achieve the goal of matching something before the all without
giving all the
zombies a pass.

On Aug 9, 2005, at 7:07 AM, Stuart D. Gathman wrote:
Because he sometimes sends mail through those ISPs.  What is
probably better
practice in that situation is the following:

1) TXT electrophobia.com:
    "v=spf1 ?ptr:cox.net include:dsis.net include:easydns.com -all"

In fact, any ISP you include that does not actively prevent
cross-customer forgery should be NEUTRAL.

Yes, in fact I used to be using the exact record that Scott and
Stuart recommend.  Unfortunately I received an unacceptably high
number of mail rejections from people who appear to implement a
policy of "reject mail if SPF record exists and it doesn't return
PASS".  So my choice was an overly permissive SPF record, no SPF
record, or mail rejections.  I chose door number 1.  I suppose I
could have kept my record the same and tried to track down and
personally contact via another e-mail address all of those who were
implementing that broken policy, but I'm not dedicated to my use of
SPF enough to do that.

Interesting.  My record almost always returns Neutral and I've had very
little trouble in that regard.  That's to bad.  This problem is likely to
get worse once SpamAssassin 3.1 gets released:

http://bugzilla.spamassassin.org/show_bug.cgi?id=3616

Of course 3.1 has other SPF related changes too:

http://bugzilla.spamassassin.org/show_bug.cgi?id=3487

and this one turning off TFWL lookups:

http://bugzilla.spamassassin.org/show_bug.cgi?id=4072

On Aug 9, 2005, at 5:42 AM, Scott Kitterman wrote:
Not only is this type of approach much tighter, it's also MUCH
easier on DNS
and more reliable than PTR.

Oh I agree.  I could indeed track down the dozens of outgoing Cox
mail servers, identify their IP addresses and net blocks, assemble my
own list in proxy for Cox's lack of SPF, and constantly monitor their
activity to keep the list up to date as they add, remove, or change
IP addresses.  It may be lazy of me, but as I intimated above I think
I'd probably chose to depublish SPF before I committed to constantly
maintaining it in such a fashion.  On the other hand, if the SPF
community chose to assemble and publish proxy records for large ISPs
that don't publish their own SPF records (e.g. something like
"include:cox.net.proxy_records.openspf.org"), I'd be willing to use
them if the DNS server setup for the proxy records looked reliable.

-Richard

The key question is who will test and maintain them.  I think each record
would need to have an identified maintainer who was responsible for the
content.

Anyone who wants to do this for Comcast is welcome to start with what I
posted above.

Scott K