spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Re: Re: Forwarder whitelisting reloaded

2008-01-17 01:02:11
On Thu, 17 Jan 2008, Frank Ellerman wrote:
B:  I think that's no specific "forwarding" problem, a receiver
accepting NONE / NEUTRAL is in trouble if he can't deliver the
mail.  That's why SPF was invented, for FAIL reject works, for
PASS accept works, and for NONE / NEUTRAL it's a hard problem.

If a mail system has backup MXes, and is misconfigured so that the
primary MX might 5xx mail from the backup, then something like Problem B
can occur.  In fact, this is likely the cause of most backscatter.

To prevent it, the only sensible thing for a sysadmin with backup MXes to
do is to always give the backups carte blanche.  Primary MX thinks it's
spam? -- then too bad, once the backup acknowledges CR LF . CR LF it's
*too late*.  Mailbox over quota? Then disregard the quota and add the
message to the mailbox anyway.

The common thread among all three forwarding problems is that the
forwarder is a quasi backup MX for the forward-to domain, but usually
isn't recognized as such by that domain.

If the recipient mail admin is ignorant of the forwarder's
quasi-backup-MX status, then he can't really be blamed for Problem B. But
if he gathers the information needed to solve Problem S and Problem K,
then he *knows* which mail transactions are forwards.  Since his decision
might bring the wrath of backscatterer.org on the forwarder, it is
dishonourable for him not to extend backup-MX-like superwhitelisting for
those transactions.

Once an honourable mail admin *knows* that a given message is
a trusted forward, he must turn off spam defenses so that he
doesn't force Problem B on an innocent other admin.

That would limit the next hop to the defenses available at the
forwarder, neither "better" nor "different" would be honourable.

That may annoy the recipient, but it is unavoidable.  Once the forwarder
has acknowledged the badguy's CR LF . CR LF it is too late to appeal the
forwarder's judgement.  (unless the mail was SPF pass.)

The recipient just has to learn to use the anti-spam "control panel" the
forwarder provides him, even if he finds it less user-friendly or capable
than the one at his home ISP.

---- Michael Deutschmann <michael(_at_)talamasca(_dot_)ocis(_dot_)net>

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: 
http://v2.listbox.com/member/?member_id=2183229&id_secret=86849493-33fb60
Powered by Listbox: http://www.listbox.com

<Prev in Thread] Current Thread [Next in Thread>