spf-discuss
[Top] [All Lists]

Re: [spf-discuss] When receiving mail servers undermine the purpose of SPF - a domain owners perspective

2006-06-13 13:12:35
On Tue, 13 Jun 2006, Claire Campbell wrote:

In all the non-technical documentation I have read on SPF, I can find no
recommendation to reject mail on the basis of a neutral SPF result but
rather to treat it as if it had no SPF record. Logically, therefore, any
Internet/Mail Service provider that chooses to reject mail on the basis of a
neutral SPF result should also reject mail from domains with no SPF record.
To do otherwise can only serve to penalise responsible domain owners who are
at least aware of the problem + making the effort to become part of the
solution. By the law of unintended consequences it also plays directly into
the hands of spammers and other criminal elements who can safely exploit
this loophole by sending mail from their own domains and then claim that
they were the victims of domain name forgery, with no SPF record to prove
otherwise. For the end user this can only result in more spam/phishing mails
and less prospect of them receiving legitimate e-mail.   

For heavily forged domains (e.g. I just added earthlink - I was getting
hundreds of "earthlink.net" forgeries a day), I reject on NEUTRAL (which
also includes NONE unless it gets a "guessed" PASS from "v=spf1 a mx ptr").  I
agree that penalizing SPF publishers more than non-publishers is
counterproductive.  Certainly a blanket policy by a large ISP of rejecting on
NEUTRAL by default is anti-social.

While you might not be able to get a PASS with a shared provider, you
could at least get a FAIL for mail that doesn't come from an authorized
provider.  Then small servers like mine wouldn't have any reason to
add you to a NEUTRAL blacklist.

Also, many people use NEUTRAL for mail sent from home ISP or roaming 
users.  Don't do this!  Use SMTP AUTH to relay such mail through an
authorized MTA.  Most (all) commercial providers have no technical
protection against cross-user forgery even with SMTP AUTH (SPF is the
killer application for proper SMTP AUTH implementation - and commerical
providers haven't realized this yet).  If you are concerned about liability,
you should get your own relay MTA.

The bottom line lesson is that SPF allows per domain policies.  Applying
blanket local polices that are not based on individual domain behaviour
defeats the whole purpose of SPF.

BTW, I track spam ratio by domain to identify badly behaved domains
(like earthlink).  Eventually, all the policy changes will be automated.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com