spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Re: [spf-help] How reliable is it to block/reject on SPF fail?

2009-11-27 10:08:29
At 11:13 27/11/2009  Friday, Ian Eiloart wrote:


--On 26 November 2009 19:42:05 +0000 alan 
<spfdiscuss(_at_)alandoherty(_dot_)net> wrote:


But many people don't "select" their forwarders. For example, our
students can opt to have their "sussex.ac.uk" email forwarded to a third
party account. They can't choose who does the forwarding, though!

well actually they could {if you didn't already do srs} they could get a
provider like ourselves to middle-man the mail  {by setting yours to
forward to us}
so we make it SRS compliant and before it reaches the whitelisting
incapable end destination {like a lot of businesses with exchange have
to}

Oh, OK. I didn't know that service existed. What's your web site?

none atm {there is just an internal how-to for users/dsl subscribers}
yeah they are small startup and not effectivly marketing beyond the geeks{and 
the companies they work for}/word of mouth atm

if user has no method of disabling spf-checking on mail to him from
non-srs-forwarders-ip then he should be selecting a different
end-reception supplier as the current one is ill equipped to accept
non-srs-forwards {and thus should either ban non-srs-forwarding or not
reject on spf-fail}

Perhaps they'd be well advised to. Unfortunately, most end users don't
know about SPF. And, they don't know that they don't know!

they shouldn't have to but you just {like us} have a big button allowing
them to whitlist the sender {in webmail} {only shown if the mail appeared
to be forwarded} that brings them to the whitlisting of forwarders
section of the api {or in our case a link in our web based "your mail
that was rejected log" beside any rejected due to SPF fail but the means
are many, hotmail do it by encouraging users to give their
forwarding-here address and i suspect then probing them to see if they
need whitlisting or not {i must play with this option for our own few
users who arn't techies, luckily very few atm}

Yes, it would be helpful if all mail providers did that. Would be nice to have 
a way that mail clients like Thunderbird could set such whitelisting options. 
Unfortunately, they don't always interact with the inbound MTA at all, so some 
new standard might be needed for this.

we provide links in the headers for pop3/imap users to the section of the 
received mail log for that mail {on the internal web-site} 
which in turn has inline linked options to turn on blocking for each smtp time 
test the received mail failed {that they were obviously currently not blocking 
on}
and to whitelist/blacklist the sender ip {and the whitelist page offers 
whitelist for all-failures/spf-failures/pbl-failures......the list goes on}
its all quite user tweakable 
from draconian 
accept no mail that isn't whitelisted
to accept all mail even the infected crap

someday I'll make the web based admin stuff look nice and fully functional {and 
secure}
{features are added to exim about 3 months before the user interface to feature 
is built}
{so during the cross over the api is phone me}

then open source release the lot
{any c coders wanting to help with a related sub project are welcome to 
volunteer time}

{srs-based-forwarders re-write the envelope sender so couldn't fail SPF}

*yes anyone rejecting on spf fail needs to have a system for allowing
users to whitelist their non-srs-forwarders, the software capable of
doing this has been around for long enough, and unfortunately srs is
still not common enough in most low end MTA's {like exchange}

True. Though I believe that the latest version of Exchange forwards
email with the return-path set to the original recipient address. Not
good, but it doesn't break SPF!

if it does is very new

I read some complaints about the facility. I don't have any direct experience, 
though.

its long been my argument against sender-id that if it was any use M$
would at least make its own exchange capable of forwarding in a sender-id
compliant way {which of course is even more complex than SRS as it
involves body re-writing too, and it wasn't even capable of the SRS based
bit} {they of course allow you to block on sender-id fail, making all
forwarding within an exchange only group impossible, DOH!}



-- 
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com