Julian Mehnle wrote:
It's IMNSHO an utter dubious idea to treat "?all" different from a "?"
elsewhere. It's also perfectly okay to offer "PASS or ?all" policies
for inclusion.
Who suggested any such thing?
You said "?all" is for wimps. But some folks believe that 1123 5.3.6(a)
is no bug and/or don't wish to talk about such forwarders in their
policy.
Or they don't understand that "?all" or "-all" is irrelevant for a
policy
designed for inclusion. Or they understand it perfectly well, and
consider
it as a too dangerous if used with "redirect=".
"Specific NEUTRAL" vs. "unspecific NEUTRAL" vs. "NONE" is an old topic
here, closely related to the old "HARDPASS" vs. "SOFTPASS" discussions.
[op=auth]
this has nothing to do with whether domain-based reputation can be
applied. If a domain insists that it does not want to (or is unable
to) prevent cross-user forgery, but abusive e-mail gets sent from
hosts authorized by that domain using that domain as the envelope
sender, the domain will still earn a bad reputation for using
insecure infrastructure.
You might be better off if you bind the reputation to the HELO or IP
in such cases. Otherwise your reputation database would be huge, and
all vanity hosts like xyzzy.claranet.de deserve in essence the same
reputation, as far away from any op=auth as in your worst nightmares.
At least they do some outbound spam checking now, for some time I had
serious difficulties to send a mail, because they claimed that my IP
was listed by some DUL list (so the dyn. IP I got from them was really
a dyn. IP, suprprise, spam score +1.9), then they checked SPF on my
submitted mail (spam score +0.5, xyzzy.claranet.de does not permit
dyn. IPs by claranet.de to send mail from xyzzy.claranet.de). For
some time I thought that they confuse MSA and MX, and I'm still not
sure, because they also did "call forward verification", _outbound_
Sometimes I fear that they've published a FAIL policy without knowing
what it's supposed to do. Especially when they don't use SPF to
reject mails, and accept mails from unknown strangers claiming to
be xyzzy.claranet.de (no claranet.de IP), it's really hopeless. :-(
They also accept mails from open proxies BL'ed by cbl.abuseat.org,
big fun to dig through about 10,000 spams daily with a V.90 line.
Less than daily is no option, I'd go over quota (150 MB).
Frank
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735