spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] SPFv3 proposal: rawfail result

2011-02-06 02:44:16
from [Michael Deutschmann] [Permanent Link] 
On Sat, 5 Feb 2011, Stuart D. Gathman wrote:

The whitelisting is robust for most alias forwarders when you whitelist the
forwarder domain, and use SPF or best guess to identify mail from the
forwarder.  When attempting the explain this before, I called it
a "pretend" MAIL FROM.  The algorithm in its simple form goes like this:


That doesn't help with the scenario that worries me:

A user subscribes to ISP A for some time, but then switches to ISP B.
ISP A graciously sets up a forward from his old mailbox to his new one at
ISP B (this is also the situation where the forwarder is least motivated
to try something like SRS).

ISP B and the user are quite hip mail-security wise, so they arrange a
whitelisting for the servers ISP A has been using for the handoff, and
then enable reject-on-SPF-fail for other cases.

Then ISP C buys out ISP A, and consolidates mail handling at one data
center.  The forwards now come from a different IP, different rDNS domain,
and different HELO.  The whitelisting breaks.

(And then users at ISP D notice they can't mail to the forwarded mailbox,
and lobby ISP D to use "?all" instead of "-all" to work around the
problem...)

The only cure for this problem is for ISP A and ISP B to agree on how the
whitelisting is to be done.  Then ISP A will ensure that whatever indicia
are being used remain stable, or at the very least warn ISP B before
changing the handoff server.

Aside from the above scenario, merely temporarily disabling SPF to let a
few forwards through, observing the IP address, hostname and HELO, and
then whitelisting whatever seems most stable should work well enough.

---- Michael Deutschmann <michael(_at_)talamasca(_dot_)ocis(_dot_)net>


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/2183229-668e5d0d
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=2183229&id_secret=2183229-a7234b15
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=2183229&id_secret=2183229-98aa0fe6&post_id=20110206034336:2E3CB9BE-31CD-11E0-82F0-CA5781A66C24
Powered by Listbox: http://www.listbox.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] SPFv3 proposal: rawfail result, Stuart D. Gathman
Next by Date:  Re: [spf-discuss] SPFv3 proposal: rawfail result, Stuart D. Gathman
Previous by Thread:  Re: [spf-discuss] SPFv3 proposal: rawfail result, Stuart D. Gathman
Next by Thread:  Re: [spf-discuss] SPFv3 proposal: rawfail result, Stuart D. Gathman
Indexes:  [Date] [Thread] [Top] [All Lists]