spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Senderside forwarder-problem mitigation

2009-07-08 08:43:29
On Wed, Jul 8, 2009 at 8:35 AM, Scott Kitterman<scott(_at_)kitterman(_dot_)com> 
wrote:
On Wed, 8 Jul 2009 01:00:14 -0700 (PDT) Michael Deutschmann
<michael(_at_)talamasca(_dot_)ocis(_dot_)net> wrote:
On Tue, 7 Jul 2009, Scott Kitterman wrote:
On Mon, 6 Jul 2009 01:10:01 -0700 (PDT) Michael Deutschmann
But others may see SPF as valuable only as a backscatter preventer, and
presently not very effective because sane ISPs will not turn SPF on
globally.
They would love to use "fm=hard" to tell a receiver "go ahead and ignore
the
forwarder problem; I accept responsibility for the FP risk.".

This is what the current -all means (to a very close approximation).  Why
would receivers believe this if they don't believe -all.

The problem is that there are basically two different versions of SPFv1,
which use identical syntax but have different semantics.  (SenderID
produced
another pair, but that's a whole other story....)

In Gathman-SPF, SPF is applied by default after a forwarder whitelist has
exempted part of the mailstream.  No forwarder whitelist means no rejecting
solely due to SPF fail.  In this protocol, almost everyone can use -all
senderside, but it is foolish for an mail admin who doesn't know his users
well (such as in large ISPs) to deploy receiverside SPF checking that does
more than header tagging.

In Vessely-SPF, SPF is to be applied literally, with SPF fail being
binding.
In this protocol, only two groups are entitled to actually use -all
senderside: SES/BATV users with a magic DNS server referenced in exists,
and
people who are desperate enough to stop backscatter that they will
willingly
risk rejected forwards.  But receiver admins are assured that they can and
should arm reject-on-fail for users they don't know much about.

V-SPF mostly gives inferior information.  In V-SPF, softdeny is pointless,
and V-SPF neutral collapses together G-SPF neutral, softdeny and fail. But
V-SPF's fail maps to something that just doesn't exist in G-SPF.

The differences are under the control of the receiver, so there is really
nothing to specify on the sender side.

Scott K



+1

I'm more focused on the use of SPF (plus DKIM signing) in the context
of phishing.

General rant (not directed at Scott):

As a sender, if I publish a record that ends in -all and you, the
receiver choose to pass mail claiming to be from one of my domains
(that fails) to one of your endusers, I am going to point them in your
direction when they contact me about that phishing email. I can't
force you to any given behavior (King Canute invocation) but I can
make sure that your endusers know that I have taken steps to provide
you with clear information as to which IP addresses are authorized to
send mail for particular domains.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

<Prev in Thread] Current Thread [Next in Thread>