spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Exclusive v. Open SPF records

2005-09-03 16:59:31
So, can somebody explain to me the functional difference between neutral and
softfail?  Isn't that like saying "kind of grey" as opposed to "really
grey"?  What's next, neutral fail?  In a world where message (from an
omniscient view point) are either valid or not, I don't understand the
existence of middle ground.  The only reason I can image this facilitates
adoption of SPF is to relax IT Admins who don't know the layout of the
network they manage.  AOL, for example, ends their SPF record with ?all in
addition to containing to exclusions.  Despite the fact that such a record
provides almost no help in identifying a spoofed mail from, I can't believe
that AOL can't pin down all it's outbound servers.

As Julian mentioned, a SPF record of only "?all" provides no information.
That in mind, does "ipv4:127.0.0.1/24 ?all" really provide useful
information?  I think not.  It's easy to say for certain if a message is
good.  The trick is to identify if a message is forged.

Think of it as a speeding ticket.  A cop won't pull you over and thank you
for driving the speed limit.  He will, however, issue you a ticket if you
weren't.  The point I'm making is the goal should be to catch the bad guys,
not the good ones.

Note:  Please don't assume that I dislike SPF in any way.  I think that, a
few problems aside, this is a great solution.  I would like to see it become
more effective, that's all.

-Gaven

----- Original Message -----
From: "Julian Mehnle" <julian(_at_)mehnle(_dot_)net>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Saturday, September 03, 2005 4:31 PM
Subject: Re: [spf-discuss] Exclusive v. Open SPF records


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gaven Henderson wrote:
My apologies if this has already been discussed.  I'm new to this forum
and the archives don't support searches.  That said....

Does anybody else think that allowing for non-exclusive (?all) SPF
records completely kills the goal of Sender Policy Framework?

No.  _Allowing_ for "?all" records makes it easy for domain owners to
adopt SPF without risking to jeopardize their mail immediately.

I would agree, however, that actually _deploying_ "?all" records is not
very useful.  If one understands SPF well enough, one should go "~all" or
"-all" right away.

1.  Non-exclusive SPF records do not improve the status quo in
identifying spoofed senders.

True.

In other words, if an SPF record allows for a soft fail, then it does
not allow for a hard fail.

Note that "?" does not mean SoftFail, "~" does.  "?" means "Neutral",
which is more... well... neutral than SoftFail.

2.  Non-exclusive SPF records force domains to publish a list of all
outbound servers.

Uh, what?  This has nothing to do with "?all" records in particular.  It
is the general point of SPF.

3.  Non-exclusive SPF records make SPF a 'half-ass' solution.  I know
it's the same basic point but if SPF still allows for spoofed MAIL
FROMs then it's not solving anything.  While there are some creative
ways out there for MTAs to handle a soft fail, they all involve [...]

Are you arguing that "~" (SoftFail) is useless/problematic/harmful?  If
not, I'm not sure what your last point is about.

Spammers and hackers are smart and aggressive people, if you provide
them an inch, they will take a mile.

All too true.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDGjI3wL7PKlBZWjsRAm/0AKCQt/ZxoiWga7IajmLT3S/YAdtS8ACg2t7O
Yv+gfhfljXki7C9VaHGWGfQ=
=CN3p
-----END PGP SIGNATURE-----

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com



-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com