At 19:43 20/01/2010 Wednesday, Barry Say wrote:
Thanks for the replies.
The problem I encountered was that the user had changed his ISP provider but
is still using his old email address. So that an e-mail apparently from
tiscali.co.uk is coming from a bt.com server. Truly an SPF failure and
entirely beyond my control.
yup unless tiscali provide a standard submission server to external users {many
isp's do especially ones publishing spf} but if they don't its a simple case
of tiscalli dosn't permit him to use the address, so he's got to cease using it.
I can indeed find out the mail servers which are being used to send
northumbrianpipers.org.uk e-mails and add them to my SPF records. That was
what I had thought of doing, but I wondered if there was a simpler way.
yup running a submission server to handle northumbrianpipers.org.uk or finding
a provider willing to host imap/pop + submission and mmoving ail there
I conclude that there is a real difficulty on the horizon as SPF rolls out.
Until now, I for one haven't really cared which smtp server I used for
outgoing mail. With multiple e-mail accounts, I have simply used the smtp
server over which I have most control.
this isn't just an spf issue its way worse for DKIM and other protocol users
its simply a long time since providers allowing "any" address outbound from
their ip's via their relay was unscalable
{in the past it was presumed that their dialup/dsl/wfi customers would be
advised/disconnected/fixed within a reasonable time of their bot-infested
machine sending forged-from spam out via those relays}
this has long ago proved impossible {most isp's have no way of even contacting
or determining their own users from the connecting ip}
so back in 1998 the solution was proposed and largely became standard that
outgoing clients connect to/send via an authenticated submission server on port
587 {usually with tls}, so that spam can be traced to ID that can be traced to
at least one valid address to report problem to, disconnect id etc.
so the mean time between abuse report and abuse cessation gets shorter
the side benifits of this mode is
A most isp's can block all outgoing port 25 from all non-mailservers with zero
negative impact
B domains providing/using submission can implement strict SPF and DKIM policies
C isp's like ourselves can implement stricter checks on smtp submissions
{such as correct ID/PASSWD only functions from the ip ranges the user
specifies,
to limit potential ID theft [many bots now take auth details and share them
with the botnet]
{they can specify 0.0.0.0/0} but most limit it to their work/home providers
also correct ID/Pass only allows the user to set envelope-sender to their
pre-set list of address'
any correct id/pass from disallowed ip-space or incorrect
envelope-sender-address' causes a notification to user and admin,
if user doesn't respond by changing their {potentially stolen} password or
updating their ip/envelope filters,
or contacting the admin to explain, the submission privileges of the
account get yanked
{as always logging into the pop/imap and pasword/spamfilters/and submission
ip/envelope filters admin site is still working}
I now find that both the e-mail programs I use, Thunderbird and Pegasus now
change their SMTP settings with identity
yup because clients have largely supported this model since the start
and I am just trying to get a working outlook express to see how that works
(sigh!)
its the only one that was slow to adopt tls support
so for years people used to offer 587 smtp-submission+tls
and 467 smtp-submission-with always on ssl {for old outlooks}
but few feel the need to continue supporting these old outlooks now their are
versions available that work with TLS
Thanks a lot
Barry
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/
[http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/
[http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com