----- Original Message -----
From: "Daniel Taylor" <dtaylor(_at_)vocalabs(_dot_)com>
FedEx man won't tell you if you've been had, you will
just have some bogus (and probably malevolent) package
in your hand.
That was my point, I would't expect him to tell me "btw, don't trust me or the
package I just gave you." But that is what a IP matching hard neutral is
telling me.
What did you expect Neutral was for?!
When the IP didn't match. To resolve the #1 issue with SPF - the transistion
point issue, the forwarding point issue. Thats the #1 problem with SPF.
Having a IP match is suppose to be GOOD (or BAD if rejecting).
Just because AOL uses it for softfail doesn't mean
that is its purpose. Sometimes you simply cannot make
the level of assurance other people would like.
AOL and all large domain hosting ISP use relaxed provisions because they have
not managed to cover the spectrum of machines using their DOMAIN name.
Relaxed provisions is a waste. Our statistics show 44% of SPF results are
relaxed and among these over 66% are rejected using CBV. That is pretty high
percentage of exploitation and spoofing predominately based on SPF domains
with relaxed provisions.
What does that tell you?
That some domain owner is going to be looking for a
new hosting provider real soon now.
Ha!
It is an assessment of risk. If the risk of forgery is
higher then the domain owner is willing to _trust_ with
a pass result, they are going to let you know by assigning
a neutral result.
No doubt. But the question is then what higher level compliancy order of
information provides?
Is it better to have no information or unverifiable fuzzy
information?
How will the neutral help in a spam score when you have no trust in the reason.
The abstract factor here is the fact that Scott told us about the false
positive. There was some feedback. With no feedback, you have no clue what a
NEUTRAL means simply because every spammer can do the same thing.
So the question is how you will treat NEUTRAL transactions. Well, only one
way, - equally the same.
Scott mentioned a good point for SOFTPASS. This is different a NEUTRAL:
NEUTRAL - I HAVE NO IDEAL NO IP MATCHING POLICY
SOFTPASS - IP MATCHING, BUT I AM NOT SURE
The problem is the RECEIVER is left in a limbo.
Question: Lets look at the threat potential:
Would a spammer use a:
IP MATCHING NEUTRAL policy or
NON-IP MATCHING NEUTRAL policy?
Which one will help spammer more?
Note: This is a trick question. :-)
The real world isn't black and white, not even in
the digital world. You have to take what you can get
and make the best of it you can.
No doubt, but as a software guy, I like to automate what I can. its my forte.
We don't need fuzziness in the digital world.
DKIM is still too ambiguous and difficult to deploy to
really be a viable alternative in my world.
I see some potential, just not the way it is being proposed with the same level
of relaxed provisions and "fuzziness" that will make it useless and as you say,
more difficult and complex to deploy. In addition, as it is being proposed, in
my view will create MORE HARM in the social engineering area.
Just consider that in the past month or so, Yahoo is being exploited more and
more to the point, as predicted, it is starting discussions about outright
YAHOO.COM rejections. Just the other day, we got a sysops asking how to reject
all incoming yahoo.com domains for specific authorized (ESMTP) users. Easy
answer, but just that he asked, is what I expected to happen with Yahoo's
cavalier attitude about their over exploited domain. They promote DomainKeys,
yet, it doesn nothing to curb the spam from spoofed YAHOO.COM domains. I
recall during the SLIP/UUCP days when the many of our sysops outright rejected
MSN.COM. JUNO.COM, EARTHLINK.NET, AOL.COM and some of the other highly
exploited domains and simply waited for complaints from legitimate users and
whitelisted them. The results were actually very successful. :-)
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com