Re: [mailop] Speaking of too many SPF, Many SPF failures lately
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Thu, 2017-05-18 at 08:53 -0700, Luis E. Munoz wrote: > It looks not bad, successive lookups to 3 parts.. and they all look > > good. Don't like this part of course.. include:sharepointonline.com > > > > ip4:52.104.0.0/14 > Right there! Anyone hosting mail on office 365 will probably have an spf that includes spf.protection.outlook.com which lists 40.92.0.0/14 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlkegYgACgkQL6j7milTFsHqswCfSSytyvttuYojwPm77UljS+GO nEkAnAx0oXARTZUSwAEJdOq34We8Qw1o =4juJ -END PGP SIGNATURE- ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Speaking of too many SPF, Many SPF failures lately
We've seen "v=spf1 +all" for example. On the other hand, what are you supposed to do with this from a prominent tech company: "v=spf1 ip4:17.0.0.0/8 -all" So, "it's complicated" Brandon On Thu, May 18, 2017 at 6:47 PM, Ángel wrote: > The question is, when does a large range start being "too large"? > > Because otherwise, every org will start weighting at a different point. > And the worst part of this is that there are good reasons to add those > includes, to begin with (and little margin to have the upstream reducing > them). > > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Speaking of too many SPF, Many SPF failures lately
On 17-05-18 06:47 PM, Ángel wrote: The question is, when does a large range start being "too large"? Because otherwise, every org will start weighting at a different point. And the worst part of this is that there are good reasons to add those includes, to begin with (and little margin to have the upstream reducing them). How nice it is of you Angel to volunteer to update the RFC with a recommendation on this :) Maybe do a little research on the 'largest' email provider(s) and how many they think they could possibly need .. a kind of 'Best Practices for SPF'.. j/k of course.. I go back to working on getting ppl to conform to recommendations made over 10 years ago as 'Best Practices'. Or getting abuse@ responses when reporting networks that 'look' like belonging to a bank, that are hacked.. Or getting ColoCrossing and others to stop letting snowshoe spammers light up.. Or get ISP's to put proper PTR records in.. Or.. (yeah, getting jaded a little, thank god a 3 day weekend ahead, and golfing weather) Can we just turn off the internet for three days please? (Hoping for that Solar Flare) -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Speaking of too many SPF, Many SPF failures lately
The question is, when does a large range start being "too large"? Because otherwise, every org will start weighting at a different point. And the worst part of this is that there are good reasons to add those includes, to begin with (and little margin to have the upstream reducing them). ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Speaking of too many SPF, Many SPF failures lately
On May 18, 2017 9:02 AM, "Luis E. Muñoz" wrote: On 17 May 2017, at 16:49, Michael Peddemors wrote: It looks not bad, successive lookups to 3 parts.. and they all look good. Don't like this part of course.. include:sharepointonline.com ip4:52.104.0.0/14 Right there! I've had thoughts about actually penalizing sites that list such vast amounts of IP space in their SPF records or perhaps just ignoring those large ranges in the SPF validation. I suppose it would be plagued with false positives, but if enough people did it, it would give some priority to actually think about your SMTP flows when setting up your SPF records. Yeah, we already ignore overly large ranges, don't recall at what level, but we definitely saw a bunch of exploits of wide ranges over a year ago. Brandon ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Speaking of too many SPF, Many SPF failures lately
On Thu, 18 May 2017 08:53:37 -0700, "Luis E. Muñoz" said: > large ranges in the SPF validation. I suppose it would be plagued with > false positives, but if enough people did it, it would give some > priority to actually think about your SMTP flows when setting up your > SPF records. That sort of thinking may have worked 3 decades ago, when Sendmail 5.67 was the latest and greatest way to move e-mail around, and pretty much all the sysadmins on the network knew each other by reputation, and posting "Hey guys, I can't seem to get this working, what am I missing?" was guaranteed to get you useful help. However, I haven't seen much evidence that it's been a workable strategy anytime this century. In particular, it would require a number of 800 pound gorillas who are mostly centered around increasing the success percentage to voluntarily choose a course of action that would lower the percentage - and they'd be relying on the set of sysadmins who did the *least* thinking about their configuration to fix their stuff. Phrased differently - did anybody in school *ever* voluntarily choose to work on a project with the least clued and engaged student in the class, in hopes of improving their own grade on the project? pgpKpSNoaca12.pgp Description: PGP signature ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Speaking of too many SPF, Many SPF failures lately
On 17 May 2017, at 16:49, Michael Peddemors wrote: It looks not bad, successive lookups to 3 parts.. and they all look good. Don't like this part of course.. include:sharepointonline.com ip4:52.104.0.0/14 Right there! I've had thoughts about actually penalizing sites that list such vast amounts of IP space in their SPF records or perhaps just ignoring those large ranges in the SPF validation. I suppose it would be plagued with false positives, but if enough people did it, it would give some priority to actually think about your SMTP flows when setting up your SPF records. Best regards -lem ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Speaking of too many SPF, Many SPF failures lately
On Wed, May 17, 2017 at 4:16 PM, John Levine wrote: > In article mail.gmail.com> you write: > >_spf.google.com is 4 lookups in total). > > Do you know why? It'd be easy enough to glom them together into one > record. > I inherited it that way and never bothered to try and change it, so no. I was considering changing it to be just the IPs we actually use for sending, instead of the whole google netblock, keeps getting pushed down the list. Brandon ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Speaking of too many SPF, Many SPF failures lately
On 17-05-17 04:16 PM, John Levine wrote: In article you write: _spf.google.com is 4 lookups in total). Do you know why? It'd be easy enough to glom them together into one record. It'd be more than 512 bytes but it is my impression that the number of DNS clients that support neither EDNS nor TCP queries is pretty small now. R's, John ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop 4 UDP lookups is faster than a fallback to tcp.. and retry isn't it? And sorry John, but in this business we STILL run into ppl who forget, and only allow UDP traffic on port 53 through their firewalls.. IMHO, I would rather see recursive lookups, and for many it is easier to maintain that way.. But, given the reported 'docusign' breach, a real example is nice.. host -t TXT docusign.com docusign.com descriptive text "v=spf1 ip4:65.221.8.13 ip4:65.221.8.29 ip4:65.221.12.128 ip4:65.221.12.148 ip4:192.237.158.85 ip4:23.253.182.234 include:_spfA.docusign.com include:_spfB.docusign.com include:_spfC.docusign.com include:sharepointonline.com -all" It looks not bad, successive lookups to 3 parts.. and they all look good. Don't like this part of course.. include:sharepointonline.com ip4:52.104.0.0/14 which chains down to of course.. ip4:40.108.128.0/17 ip4:104.146.128.0/17 ip4:104.146.0.0/19 and more.. And I see that more and more of a trend, company uses a 3rd party newsletter company which has all of Amazon AWS or Digital Ocean or Azure IP Space.. in the SPF record chain.. Not too hard for someone else to get some of the IP space and start spoofing.. Most people don't understand what the innocuous include means.. just that someone (3rd party) told them they had to add it to their SPF chain.. and someone in management said 'just do it', without realizing that it completely invalidated the protection afforded by SPF.. -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Speaking of too many SPF, Many SPF failures lately
In article you write: >_spf.google.com is 4 lookups in total). Do you know why? It'd be easy enough to glom them together into one record. It'd be more than 512 bytes but it is my impression that the number of DNS clients that support neither EDNS nor TCP queries is pretty small now. R's, John ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop