On Thu, 17 Nov 2005 18:06:45 -0500 (EST) "Stuart D. Gathman"
<stuart(_at_)bmsi(_dot_)com> wrote:
On Thu, 17 Nov 2005, Hector Santos wrote:
I get "so excited" because its a moronic idea.
"Look fellas, I don't have a SPF policy, yet you will use
an NON-SPF logic to verify me with SPF Notification
informatin."
I use best guess. No, I do *not* send any SPF notifications,
because best guess will never reject or block MFROM -
it always gets PASS or NEUTRAL. It is used for auto whitelisting.
Recipients of local senders (that pass the zombie test) are
automatically whitelisted - but the whitelisting only works
with an SPF PASS - either real or guessed. The best guess
is "v=spf1 a/24 mx/24 ptr ?all".
(Best guess can get a FAIL on HELO - it happens to correspond to
having a proper HELO name in that case. If there is also no PTR
or MFROM SPF, and MFROM best guess is NEUTRAL, they get the 3
strikes DSN - which clearly says you are getting this DSN because
you don't have a proper SPF, or HELO, or PTR.)
Wonderful! Spammers lick their chops with crap like this.
Yes, they can forge emails from any poor sucker with no SPF
record that is on the same class C network as the spammer.
It is part of the specs? No. So why it is in a Library
that some people will end up using? You might as well make
it part of the specs.
It's called a convience feature. Any SPF based whitelisting system
is going to need a best guess feature until adoption is much
higher. CBV is not part of the SMTP spec, but having it in
a library is good - so every user doesn't have to iron out
the wrinkles all over again.
Sorry, Frank, call me what you like. Its stupid and if people
are scratching their heads as too why SPF gets a bad rap it is
because of moronic ideas like this.
As long as it is clearly separate from the API implementing
the standard, it is not a moronic idea.
In fact, I go one step further. Pydns supports a configurable DNS
zone with SPF records for regular correspondents that don't have their
own SPF record, and for which the best guess doesn't work.
That also takes care of the case where the spammer is on the
same class C subnet. Of course, these records are all just
guesses too, just a little more specific and educated - but it
gets the mail through, even though I reject anonymous connections
(no/bad PTR, no/bad HELO, and no SPF). So go ahead and tell me
I'm moronic...
No, but Mail::SPF::Query was supposed to be a reference implimentation, so
it shouldn't do best guess.
Scott K
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com