Re: [mailop] International Fix-Your-SPF day
Looking at the last 8 days, I see about 1.5% of minor (or larger) spf pra's we've evaluated had an error (pra's with errors / pra's with a pass), which includes DNS errors, bogus mechanisms, timeouts, etc. That does rise to 7% if you include all senders, but those are some pretty small fry. I make no claims as to whether our handling is rigorous or not, and due to the evaluation order in spf, evaluating for a particular ip may pass before the error in the record is encountered. Without a DMARC p=reject, it is unlikely we would ever reject based on bogus spf records, however. Brandon On Tue, May 16, 2017 at 2:07 PM, Renaud Allard via mailop wrote: > > > On 16/05/17 22:12, D'Arcy Cain wrote: > >> On 2017-05-16 03:35 PM, Laura Atkins wrote: >> >>> Because in large, international corporations there are processes. >>> >>> I worked with a bank a few years ago looking at authentication. It took >>> an inconceivable amount of time just to identify which country IT group >>> held the authoritative records for rDNS and who needed to approve >>> changes. Because, no, you don’t want some J. Random Person authorizing >>> DNS changes. >>> >>> “A Day” is just not going to happen in the real world. Even just for >>> banks. >>> >> >> It doesn't have to happen for banks. All it takes is for some bank >> president to not be able to email a client to get questions asked. We just >> need a significant number of addresses blocked due to incompetent >> administration. >> >> > Actually, all it needs is a big freemail provider like gmail to start > blocking on bad DNS info and banks will get it mostly right within the next > 24/48 hours. > > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] International Fix-Your-SPF day
On 16/05/17 22:12, D'Arcy Cain wrote: On 2017-05-16 03:35 PM, Laura Atkins wrote: Because in large, international corporations there are processes. I worked with a bank a few years ago looking at authentication. It took an inconceivable amount of time just to identify which country IT group held the authoritative records for rDNS and who needed to approve changes. Because, no, you don’t want some J. Random Person authorizing DNS changes. “A Day” is just not going to happen in the real world. Even just for banks. It doesn't have to happen for banks. All it takes is for some bank president to not be able to email a client to get questions asked. We just need a significant number of addresses blocked due to incompetent administration. Actually, all it needs is a big freemail provider like gmail to start blocking on bad DNS info and banks will get it mostly right within the next 24/48 hours. smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] International Fix-Your-SPF day
On 2017-05-16 03:35 PM, Laura Atkins wrote: Because in large, international corporations there are processes. I worked with a bank a few years ago looking at authentication. It took an inconceivable amount of time just to identify which country IT group held the authoritative records for rDNS and who needed to approve changes. Because, no, you don’t want some J. Random Person authorizing DNS changes. “A Day” is just not going to happen in the real world. Even just for banks. It doesn't have to happen for banks. All it takes is for some bank president to not be able to email a client to get questions asked. We just need a significant number of addresses blocked due to incompetent administration. -- D'Arcy J.M. Cain System Administrator, Vex.Net http://www.Vex.Net/ IM:da...@vex.net VoIP: sip:da...@vex.net ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] International Fix-Your-SPF day
> On May 16, 2017, at 12:26 PM, Michael Peddemors > wrote: > > On 17-05-16 12:14 PM, Andreas Schamanek wrote: >> On Tue, 16 May 2017, at 13:05, Vick Khera wrote: >> >>> On Tue, May 16, 2017 at 12:11 PM, D'Arcy Cain wrote: >>> Heck, we may not even need to do it. Enough coverage and the threat may get a bunch of them fixed anyway. >>> >>> hahahaha. you are very optimistic. >> >> Maybe, but I still love the idea of organizing an Internatinal >> Fix-Your-SPF day. >> > > hehe... I would settle for a 'banks fix your SPF records day'. > > But in reality, we still can't get most people to even properly configure > PTR/DNS records.. let alone SPF.. Because in large, international corporations there are processes. I worked with a bank a few years ago looking at authentication. It took an inconceivable amount of time just to identify which country IT group held the authoritative records for rDNS and who needed to approve changes. Because, no, you don’t want some J. Random Person authorizing DNS changes. “A Day” is just not going to happen in the real world. Even just for banks. laura -- Having an Email Crisis? 800 823-9674 Laura Atkins Word to the Wise la...@wordtothewise.com (650) 437-0741 Email Delivery Blog: http://wordtothewise.com/blog ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] International Fix-Your-SPF day
On 17-05-16 12:14 PM, Andreas Schamanek wrote: On Tue, 16 May 2017, at 13:05, Vick Khera wrote: On Tue, May 16, 2017 at 12:11 PM, D'Arcy Cain wrote: Heck, we may not even need to do it. Enough coverage and the threat may get a bunch of them fixed anyway. hahahaha. you are very optimistic. Maybe, but I still love the idea of organizing an Internatinal Fix-Your-SPF day. hehe... I would settle for a 'banks fix your SPF records day'. But in reality, we still can't get most people to even properly configure PTR/DNS records.. let alone SPF.. And of course, those people who don't even know the affects of DNS, eg firewalls that don't allow both TCP and UDP requests, creating REALLY long PTR record lists, that force fallback to TCP retry with it's associated lag and overhead.. SPF records that are incredibly long.. (use inheritance if you need to) the use of weak SPF includes, which anyone can forge.. So, let's start slower.. 'Fix your PTR record day' 'Block Port 25 day from residential networks day' 'Stop allowing open relay day' 'Stop forwarding email badly' (or at all ;) 'Monitor traffic on egress day' (Doesn't every modern router support this? and alarms?) These are simpler fixes, and if they were just done, would make the internet a heck of a lot safer in a real hurry.. -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] International Fix-Your-SPF day
On Tue, 16 May 2017, at 13:05, Vick Khera wrote: > On Tue, May 16, 2017 at 12:11 PM, D'Arcy Cain wrote: > > > Heck, we may not even need to do it. Enough coverage and the threat may > > get a bunch of them fixed anyway. > > hahahaha. you are very optimistic. Maybe, but I still love the idea of organizing an Internatinal Fix-Your-SPF day. -- -- Andreas :-) ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] International Fix-Your-SPF day
On Tue, May 16, 2017 at 12:11 PM, D'Arcy Cain wrote: > Heck, we may not even need to do it. Enough coverage and the threat may > get a bunch of them fixed anyway. > hahahaha. you are very optimistic. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] International Fix-Your-SPF day
On 2017-05-16 09:42 AM, Vladimir Dubrovin via mailop wrote: According to the standard, invlid SPF record results in spf=permerror, not in spf=fail. It's up to you to reject the message in this case, but it's definitely not what system administrator of the sending system told you. Maybe but the problem is that he is trying to tell us something but it is getting garbled and we have to guess what he wants. Sounds like "undefined behaviour". It's allowed to make monkeys fly out of his nose as we used to say. I don't know how big this mailing list is but I wonder if it is big enough for us to declare a Fix-Your-SPF day. Pick a day and everyone (or close enough) changes their configs to bounce PermError for 24 hours. We could announce it ahead of time. We could even create a press release that everyone can send to their local media. Heck, we may not even need to do it. Enough coverage and the threat may get a bunch of them fixed anyway. -- D'Arcy J.M. Cain System Administrator, Vex.Net http://www.Vex.Net/ IM:da...@vex.net VoIP: sip:da...@vex.net ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop