spf-discuss
[Top] [All Lists]

PS ...Re: SPF receivers are weak link

2005-08-26 09:44:06
Stuart,

Just for the record.  The fix has been added for the "Hard NEUTRAL" policy.   

You are welcome to test our WCSAP system at:

    http://www.winserver/testwcsap

We get quite of few people are using the web page for testing there SPF DNS 
records.

Just to make sure there were no other unreported "false positives" (which is an 
oxymoron) I checked the August 2005 logs.  To my surprise I saw a marketable 
increase in SPF rejections.  See august 2005 stats (SPF column):

    http://www.winserver.com/spamstats

Starting on August 19, we have 27 SPF rejections. Except for Scott Kitterman 2 
transaction rejections, I went thru every one and each were correct. 

A good bit of the rejections were from SPOOFERS using our own domains names 
against our system. Or hard policy instantly rejected them.

As expected, 2/3 of the neutrals or softfails were CBV rejected.  These rejects 
are included in the CBV column.

As expected, a good bit exploited domains were your good old "American pie" 
brand domains with relaxed policies.  

About Implementation issues:

It is vitally important that implementations are consistent in SPF processing, 
including us.  In lieu of bugs, if you are seeing many implementations not 
being consistent, then SPF is pretty in trouble and will suffer the same faith 
DKIM is promising to exhibit with an "inherent" inconsistency concept.

I disagree with you to USE this an excuse for while people are using a relaxed 
policy because I sincerely HOPE it is not because they lack confidence in the 
receiver.  No,  if I felt that was true, I would abandon SPF faster than a 
hurricane can blew its winds.   So I don't but this. I have not seen it and I 
firmly believe, especially with our high end exclusive customer base, that if 
there false positives we would hear about it more than we actually done.  
Julian found a problem in our DNS resolver related to his double A/CNAME lookup 
and now Scott, with his hard neutral policy.

But I agree there should be a official SPF implementation Testing Site.  It is 
also a good idea to have a set of test suites (I just added the new HARD 
NEUTRAL example to our suite) that cover nearly every possible outcome.

Anyway, don't blame implementations as the reason you might believe SPF has 
some marketing issues.  If SPF is going to fail, it will fail on its TECHNICAL 
MERITS as a protocol. Not because of implementations.  But if that is really 
the case, there is a high implementation failure rate, then it tells you more 
about the complexity of the protocol than anything else.   But I don't believe 
that is the case.   Bugs do happen, but that isn't reason for SPF problems.

-- 
Hector Santos, Santronics Software, Inc.
http://www.santronics.com


----- Original Message ----- 
From: "Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com>
Newsgroups: spf.-.sender.policy.framework.discussion
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Thursday, August 25, 2005 11:46 AM
Subject: [spf-discuss] SPF receivers are weak link


All 6 of the spf-help problems I've handled so far have been
senders stymied by recipients with broken SPF.  The most common problem
is for the recipient to test SPF at some inner MTA and not at
the gateway (rejecting most senders with SPF records).

And then there was the Hector incident.  No wonder senders are
reluctant to publish -all!  One trick I've discovered is to create a special
subdomain that has a very lax SPF record (or none).  When a braindead receiver
rejects all your regular mail, you can usually get through with that domain
(unless it has been spam-forged already).

I was going to talk about the importance of a test suite, and perhaps
having a certification program for SPF implementations.  But since
the most common problem is not testing SPF at the right place - 
perhaps a common mistakes page on the web site would be better.

-- 
       Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com


<Prev in Thread] Current Thread [Next in Thread>