Hi Stuart,
Thanks for your explanation - although I'm not convinced about the
reasoning.
If Google and Yahoo just allow email from invalid domains because there are
too many incorrectly configured sender mail servers, wouldn't the same
argument mean they also just ignore SPF because there are so many
incorrectly configured SPF records? From the evidence I've seen they do
check SPF records for real domains but just let fake domains through without
even marking them as spam.
If all mail servers did the sensible thing as mentioned here:
http://www.openspf.org/FAQ/Blocking_spam, and all domains had SPF records,
spammers would indeed have a hard time. The fact that Google and Yahoo allow
fake domains through really makes SPF completely impotent as a weapon to
fight spam. In the cartoon guide (http://old.openspf.org/aspen.html) this
would be represented by a huge bell curve called "fake domains" that dwarfs
the other two and is a free ticket to spammers.
The fundamental question I'm trying to get at is:
Should I bother setting up and maintaining SPF records if my domains are not
currently suffering from any forged identity problems? I would do it happily
if it contributed to the internet community's fight against spam, but unless
major email service providers close the fake domain loophole, there doesn't
seem to be any point.
Cheers
Martin
----- Original Message -----
From: "Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com>
To: <spf-discuss(_at_)listbox(_dot_)com>
Sent: Thursday, February 10, 2011 12:31 PM
Subject: Re: [spf-discuss] Yahoo mail and Gmail policy explanation?
On Thu, 10 Feb 2011, Martin Jericho wrote:
Neither yahoo mail nor gmail seem to reject incoming mail if there is no
DNS
record at all for the envelope sender address, allowing spammers to just
use
completely fake domains.
Does anyone know why they might choose to have that policy? Is there any
legitimate reason for allowing incoming mail from a fake domain? It
doesn't
even get blocked when you turn on the spam filter!
Believe it or not, there are countless clueless, but otherwise
"legitimate"
senders who can't get basic things like HELO or MAIL FROM right (much
less SPF). Our customers get such mail rejected from their customers
every
month or so. We immediately search the logs, find what brainless thing
their
customer is doing, attempt to send mail to postmaster (which usually
fails,
because they are after all clueless), and add a special "whitelist" (like
"accept mail from invalid domain email-clueless.com" and hope spammers
don't
use it).
Free email outfits like yahoo or gmail simply can't afford to offer this
kind of email tech support. Their system has to be entirely self-serve.
Statistically routing mail to a "spam" folder is something end users
can handle on their own when it doesn't do what they want. Diagnosing
what what idiotic thing this particular sender did, and constructing
a complex whitelist to work around it is not something end users can
handle.
It is *not* as simple as "whitelist this email" when the domain is invalid
or forged.
If there was a particular email, then a "Whitelist" button could run
heuristics to identify common sender problems and apply standard
workarounds.
But if there was an email, then our customer would not be complaining!
The first problem is *finding* what random invalid domain the stupid
sender is trying to use in the log. In the case of my church, for
instance,
they simply had a typo in their MTA config for the MAIL FROM (and
they rewrote the MAIL FROM of all client submissions with the wrong
domain).
If people would just send a test email to something like
spf-test(_at_)openspf(_dot_)org
after configuring their server, things would be so much easier.
It would also be nice if they tested their SPF record on openspf.org
before publishing it.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/
[http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/20472388-958fad67
Modify Your Subscription:
https://www.listbox.com/member/?&
Unsubscribe Now:
https://www.listbox.com/unsubscribe/?&&post_id=20110209203212:93B6D168-34B5-11E0-BF88-9E0B634668CC
Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/
[http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/2183229-668e5d0d
Modify Your Subscription:
https://www.listbox.com/member/?member_id=2183229&id_secret=2183229-a7234b15
Unsubscribe Now:
https://www.listbox.com/unsubscribe/?member_id=2183229&id_secret=2183229-98aa0fe6&post_id=20110210003411:626FF0A4-34D7-11E0-8032-CB15B0C564E0
Powered by Listbox: http://www.listbox.com