Re: [spf-discuss] Current spf record for comcast.net?

At 07:21 PM 1/24/2007 -0800, William Leibzon wrote:
> On Wed, 24 Jan 2007, David MacQuigg wrote:
> > An IPwhois lookup on 206.18.177.0 shows an allocation of 206.16.0.0/14 by 
> > the ARIN Regional Registry.  That should cover the addresses shown by 
> > Rene and Guy and any others in that block that Comcast might decide to 
> > use without notice.
> Like any address within 73.0.0.0/8 (comcast has lots of space...)
Well, adding that block might be a bit too much.  I'll wait until I see 
some mail from one of those addresses.  It usually resolves to a smaller 
block, but I'll add this big one if there is no alternative.
> > If that block includes a few zombies, Comcast's reputation will suffer 
> > further.  They can fix it by publishing a list of their authorized 
> > servers, and excluding the zombies.
> Of course by zombies here you mean any cable user no matter if his system
> is or is not a spammer-controlled bot.
Correct.  A well-run ISP should not allow any cable user to say 'HELO this 
is comcast.net'.  Just to clarify, we are using our IP lists for the HELO 
check only.  The MAIL FROM check follows the normal SPF rules.
> > The strategy now is to not waste any time arguing with the Comcasts of 
> > the world, but simply take whatever they give us, and let their 
> > reputation fall where it may.  There are plenty of companies like AOL 
> > that have an excellent reputation, and it doesn't take much effort to go 
> > at least the first step - publish your authorized servers.  This should 
> > be easy even for a big company that relies on spammers for most of its 
> > income.  The zombies are not paying customers.
> I've been told comcast mail servers are not hidden "on purpose",
> its just that they still operate with number of separate units and 
> separated network segments and they want some of those separate
> networks to have their own mail servers both to distribute traffic
> from their users and to allow flow of mail when there are network
> issues between their network segments... But in fact actually what
> you're seeing is nowhere quite as bad as it could have been if they
> entirely followed this strategy (so quite a bit of centralization
> does take place). Note also that as bureaucracies go this is a big one
> (worse then MS and you may remember problems they had updating their
> SPF record), just collecting all the data from their various
> subdivisions would be difficult task for such a company.
I've heard similar arguments from CompuServe in 1982 making excuses for why 
they couldn't exchange emails with other services.  Small services have 
more incentive to cooperate, and when the aggregate of small services is 
larger than Comcast, suddenly Comcast will discover that listing their 
authorized transmitters wasn't that difficult after all.
> > The next step is where it gets interesting.  Comcast could use different 
> > IDs for different mailflows, allowing the reputation of 'comcast.net' to 
> > fall where it may, and using a different ID for their reputable 
> > mail.  Spammers would then demand that their mail be sent under the 
> > reputable ID, and Comcast would have a tough decision.  However they try 
> > to hide it, the basic deal will involve selling reputation earned by 
> > their non-spam customers to people who will quickly ruin that 
> > reputation.  My guess is Comcast will say no, and the spammers will 
> > lose.  If they say yes, their non-spam customers will move to another 
> > company.  What is left won't be worth anything to even the spammers.
> The problem is that Comcast is a monopoly in its sector - you can not
> get cable internet through somebody else (DSL and wireless are however
> a competitor but its not quite the same and there may not be good
> alternatives in some areas).
Even if your only network provider is Comcast, you can still send your 
outgoing mail via any service you like, or you can operate your own 
transmitter under your own name (assuming your network provider doesn't 
block port 25).
> And for monopolies typical market economy
> strategy as you outline would not work (i.e. users would not be able
> to leave and could suffer even if provided bad service). But not 
> everything is lost - in US such monopolies are controlled through 
> government regulation, so feedback lopp here would not be that
> users complain about bad reputation to the government which tries
> to regulate by requiring them to abide by certain policies and
> deal with complaints in certain time basis, but I'm just guessing
> as to where and how it would go.
Government regulation won't work because no one government can control the 
whole Internet, and even if they could, would you really want clueless 
bureaucrats making the rules?  I believe that market forces can be made to 
work, if we are careful to avoid the hurdles that have stopped us so 
far.  We cannot expect senders to do anything that is not in their 
immediate best interests.  They are not going to pay a fee, or install new 
software, or do anything other than possibly publish a list of their own 
transmitters to gain whitelist privileges for their own customers.
They already provide this information to big companies like Yahoo.  They 
just need to publish it in a form that is easily accessed.  SPF records are 
almost sufficient, and we use them to create default records, but they are 
just a little short of what we need for a robust HELO check.  So we ask 
senders who offer SPF authentication to go one more step and publish 
"helo=spf" at _auth.<domain>.  The incentive is an immediate improvement in 
their reputation, because we can then reject the zombies using their name.
-- Dave


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, 
please go to http://v2.listbox.com/member/?list_id=735