Stuart,
Just for the record. The fix has been added for the "Hard NEUTRAL" policy.
You are welcome to test our WCSAP system at:
http://www.winserver/testwcsap
We get quite of few people are using the web page for testing there SPF DNS
records.
Just to make sure there were no other unreported "false positives" (which is an
oxymoron) I checked the August 2005 logs. To my surprise I saw a marketable
increase in SPF rejections. See august 2005 stats (SPF column):
http://www.winserver.com/spamstats
Starting on August 19, we have 27 SPF rejections. Except for Scott Kitterman 2
transaction rejections, I went thru every one and each were correct.
A good bit of the rejections were from SPOOFERS using our own domains names
against our system. Or hard policy instantly rejected them.
As expected, 2/3 of the neutrals or softfails were CBV rejected. These rejects
are included in the CBV column.
As expected, a good bit exploited domains were your good old "American pie"
brand domains with relaxed policies.
About Implementation issues:
It is vitally important that implementations are consistent in SPF processing,
including us. In lieu of bugs, if you are seeing many implementations not
being consistent, then SPF is pretty in trouble and will suffer the same faith
DKIM is promising to exhibit with an "inherent" inconsistency concept.
I disagree with you to USE this an excuse for while people are using a relaxed
policy because I sincerely HOPE it is not because they lack confidence in the
receiver. No, if I felt that was true, I would abandon SPF faster than a
hurricane can blew its winds. So I don't but this. I have not seen it and I
firmly believe, especially with our high end exclusive customer base, that if
there false positives we would hear about it more than we actually done.
Julian found a problem in our DNS resolver related to his double A/CNAME lookup
and now Scott, with his hard neutral policy.
But I agree there should be a official SPF implementation Testing Site. It is
also a good idea to have a set of test suites (I just added the new HARD
NEUTRAL example to our suite) that cover nearly every possible outcome.
Anyway, don't blame implementations as the reason you might believe SPF has
some marketing issues. If SPF is going to fail, it will fail on its TECHNICAL
MERITS as a protocol. Not because of implementations. But if that is really
the case, there is a high implementation failure rate, then it tells you more
about the complexity of the protocol than anything else. But I don't believe
that is the case. Bugs do happen, but that isn't reason for SPF problems.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
----- Original Message -----
From: "Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com>
Newsgroups: spf.-.sender.policy.framework.discussion
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Thursday, August 25, 2005 11:46 AM
Subject: [spf-discuss] SPF receivers are weak link
All 6 of the spf-help problems I've handled so far have been
senders stymied by recipients with broken SPF. The most common problem
is for the recipient to test SPF at some inner MTA and not at
the gateway (rejecting most senders with SPF records).
And then there was the Hector incident. No wonder senders are
reluctant to publish -all! One trick I've discovered is to create a special
subdomain that has a very lax SPF record (or none). When a braindead receiver
rejects all your regular mail, you can usually get through with that domain
(unless it has been spam-forged already).
I was going to talk about the importance of a test suite, and perhaps
having a certification program for SPF implementations. But since
the most common problem is not testing SPF at the right place -
perhaps a common mistakes page on the web site would be better.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com