spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Is best guess moronic?

2005-11-17 16:29:24
from [Hector Santos] [Permanent Link] 
Yes, it is moronic!

Once it becomes part of the Receive-SPF: header, you are making it PART of
the specification.

Again, if you want all these thorns removed from SPF, you have to consistent
in your technology without fuzziness and confusion.

The USER will gain knowing:

    Receiver-SPF: none

then seeing

    Receiver-SPF: pass with some stupid "best guess!" statement.

ridiculous, stupid, moronic idea!  and if you invented it, then you know how
I feel. <grin>

Look, there were 2 key issues that I get "so excited" about in SPF history,
and each time I was right:

     The Helo Issue
     The Relaxed Provision Issue,

Other than that, I don't usually get involved.  I will now add this stupid
BEST GUESS "feature" that is PART of the Receiver-SPF!!

GMAIL.COM used it and now the user got CONFUSED!!! He thought the "domain"
was SPF PASSED when in fact it wasn't.

Anyone who uses this perl library will NATURALLY assumed it is part of the
specification when in fact it isn't.

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com


----- Original Message -----
From: "Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com>
Newsgroups: spf.-.sender.policy.framework.discussion
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Thursday, November 17, 2005 6:06 PM
Subject: [spf-discuss] Is best guess moronic?



On Thu, 17 Nov 2005, Hector Santos wrote:


I get "so excited" because its a moronic idea.

  "Look fellas, I don't have a SPF policy, yet you will use
   an NON-SPF logic to verify me with SPF Notification
   informatin."


I use best guess.  No, I do *not* send any SPF notifications,
because best guess will never reject or block MFROM -
it always gets PASS or NEUTRAL.  It is used for auto whitelisting.
Recipients of local senders (that pass the zombie test) are
automatically whitelisted - but the whitelisting only works
with an SPF PASS - either real or guessed.  The best guess
is "v=spf1 a/24 mx/24 ptr ?all".

(Best guess can get a FAIL on HELO - it happens to correspond to
having a proper HELO name in that case.  If there is also no PTR
or MFROM SPF, and MFROM best guess is NEUTRAL, they get the 3
strikes DSN - which clearly says you are getting this DSN because
you don't have a proper SPF, or HELO, or PTR.)


Wonderful!  Spammers lick their chops with crap like this.


Yes, they can forge emails from any poor sucker with no SPF
record that is on the same class C network as the spammer.


It is part of the specs?   No.  So why it is in a Library
that some people will end up using?  You might as well make
it part of the specs.


It's called a convience feature.  Any SPF based whitelisting system
is going to need a best guess feature until adoption is much
higher.  CBV is not part of the SMTP spec, but having it in
a library is good - so every user doesn't have to iron out
the wrinkles all over again.


Sorry, Frank, call me what you like. Its stupid and if people
are scratching their heads as too why SPF gets a bad rap it is
because of moronic ideas like this.


As long as it is clearly separate from the API implementing
the standard, it is not a moronic idea.

In fact, I go one step further.  Pydns supports a configurable DNS
zone with SPF records for regular correspondents that don't have their
own SPF record, and for which the best guess doesn't work.
That also takes care of the case where the spammer is on the
same class C subnet.  Of course, these records are all just
guesses too, just a little more specific and educated - but it
gets the mail through, even though I reject anonymous connections
(no/bad PTR, no/bad HELO, and no SPF).  So go ahead and tell me
I'm moronic...

--
      Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703

591-6154

"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your

subscription,

please go to

http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Is best guess moronic?, Scott Kitterman
Next by Date:  [spf-discuss] Re: Status of the SPF RFC, Frank Ellermann
Previous by Thread:  [spf-discuss] Is best guess moronic?, Stuart D. Gathman
Next by Thread:  [spf-discuss] Re: GMAIL mis-usage of SPF?, Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]