On Thu, 31 Aug 2006, Alex van den Bogaerdt wrote:
In this case Stuart sends a DSN:
b) SPF NONE, no PTR, invalid HELO, no guessed pass (3 strikes) - there are a
LOT of otherwise legitimate senders with this braindead setup. It causes
a
lot of problems to simply reject them because they are clueless (or
they would have done it right) and don't know what to do.
Three out of four. Let's see. I am hiding at a crappy provider (no
reverse DNS setup but more importantly no pescy abuse department
bothering me while I am conducting my business), I am no where near
the network where my sender address is expected (china would be nice),
and I am lying about my hostname. That would qualify, wouldn't it?
That's not a braindead setup, that's most likely a forger. And this
is _not_ where the DSN is going to, the DSN is going to the victim.
Believe it or not, that kind of setup represents about 25% of the
legitimate correspondents for my clients. My clients are in import/export,
and these setups are typically in 3rd world airports or ports.
As I said, for my own domains, I have always rejected such things
out of hand. But my clients simply can't agree to cut off their customers
just because they have no clue how to configure their email.
I've attempted to talk to some of them with an english speaking
email administrator. My most memorable conversation was with a guy
who insisted that "JUPITER" was a perfectly valid HELO name because
MS exchange accepted it, and who was I to know better than Microsoft?
"JUPITER" has been the canonical invalid HELO name in my mind since.
I do filter *most* of the crap, for instance rejecting HELO names
like 1.2.3.4, and ones that are my own domains (and hence get HELO SPF FAIL).
I have even had problems rejecting on HELO neutral. Apparently, a lot of
people publish SPF with a neutral default, AND always copy their MFROM to
HELO regardless of where they send it from.
Spamcop agrees that the DSN rate is not too bad - since my client is
only blacklisted once or twice a month for 24 hours. They wouldn't
get listed at all if the spamtraps gave SPF fail when forged.
I can understand why spamcop doesn't do that, however. It would be
too easy for a spammer to test potential forged MFROMs for SPF fail before
using them. And then the spamtraps would be useless. On the other hand,
then the spammers would have stopped using my domains, and anyone elses
with decent SPF records ... which is a good thing.
P.S. I have gotten death threats via email from people who want me
to stop sending them spam. They apparently don't check SPF.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com