spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Re: spamcop and DSN

2006-08-29 20:00:52
from [Stuart D. Gathman] [Permanent Link] 
On Wed, 30 Aug 2006, Frank Ellermann wrote:


they seem to be oblivious to the fact that spammers are
using their spamtrap addresses for MAIL FROM!  Should I
waste my time trying to explain why their system needs
some work?


AFAIK they know this.  I wonder why you send unsolicited
DSNs to unverified Return-Paths.  That's net abuse, or did
I miss something in your scenario ?


My client is getting blacklisted on average once every 18 days.
That is not very many bogus bounces.  A blacklist lasts for 24 hours, so
it is not as bad as I thought originally.  Of course, I immediately reject
all the obvious forgeries (HELO fail, for instance - amazing how many
fogeries use my own HELO).  SPF FAIL gets a reject.  If there is
a valid PTR, or it gets a PASS, or a guessed pass from "v=spf1 a/24 mx/24 ptr", 
or has a valid HELO, it gets delivered (and content filtered).  There is
a DSN for quarantined mail - but only if MAIL FROM gets SPF or guessed PASS
(I think - I'll double check the code).

There are two circumstances in which I send a DSN by default:

a) SPF softfail - because the sender is asking for debugging help

b) SPF NONE, no PTR, invalid HELO, no guessed pass (3 strikes) - there are a
   LOT of otherwise legitimate senders with this braindead setup.  It causes a
   lot of problems to simply reject them because they are clueless (or
   they would have done it right) and don't know what to do.

Whether to send DSN is configurable.  I simply reject case b in my own setup.
But clients are concerned about missing email from email-clueless customers.

Spamcop suggests using another public IP for DSNs.  This is reasonable
and feasible for most of my clients.

I have to walk a fine line between demanding authentication as much as
possible, and not blocking clueless senders.  Eventually those clueless
senders need to get a clue.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [spf-discuss] Re: Which SPF implementation to choose?, Frank Ellermann
Next by Date:  [spf-discuss] Re: spamcop and DSN, Frank Ellermann
Previous by Thread:  Re: [spf-discuss] Re: spamcop and DSN, Graham Murray
Next by Thread:  [spf-discuss] Re: spamcop and DSN, Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]