On Wed, 26 Sep 2007, you wrote:
That would be cool if we could get buy-in from all the ISPs to trawl
through their IP ranges and do this... it reminds me of an earlier
proposal we saw a few years back, called "MTAMark" or "Selective
Sender".
I looked those up. Yes, you could use CLSPF to entirely replace those
proposals (which only return a yes or no per IP), using "v=clspf -all" or
"v=clspf ?all" records.
However, using "v=clspf -all" sounds quite inadvisable to me. The only
reason you'd want to do that is if you -think- there's no legitimate
server but you're too cowardly to do port 25 blocking. But if your users
are going to bite your head off for port-25 blocking, then probably some
of them are actually going to send mail. The result is that the public
trust that a CLSPF "-all" actually means anything will be weakened, making
"-all" records with exceptions less effective as firebreaks when real
mailservers get hacked.
Although I suppose there's no harm in an ISP using "v=clspf ?all" to say
"67-89.port123-45.smallville.dsl.example.org really did pay us extra for a
mailserver-grade connection, although we're too lazy to assign him a
static-looking rDNS. Please ignore what SORBS-DUL thinks and accept his
mail!"
---- Michael Deutschmann <michael(_at_)talamasca(_dot_)ocis(_dot_)net>
-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com