AW: AW: SPF Configurations

[Andre Engel]

John,

 -Ursprüngliche Nachricht-
 Von: John R. Levine [mailto:jo...@iecc.com]
 Gesendet: Samstag, 5. Dezember 2009 01:54
 An: Andre Engel
 Cc: nanog@nanog.org
 Betreff: Re: AW: SPF Configurations
 
  Right.  The only major mail system that pays attention to SPF is
  Hotmail, but there are enough small poorly run MTAs that use it that
  an SPF record which lists your outbounds and ~all (not -all) can be
  marginally useful to avoid bogus rejections of your mail.
 
  For example :
  [ various large ISPs that publish SPF ]
 
 Perhaps this is a language problem.  In English, publishes is not a
 synonym for pays attention to.  As I said, you need to publish SPF
 to get mail into Hotmail.  That's why people do it.

As I said im almost german :-)
  
Some major providers ,11 for example, assigned their customers the
responsibility to pay attention on SPF for getting mails into their
boxes.(decision between suspicious or not)   

  I know there is a problem so far with forwarded emails but there is
 also a
  solution :
  [ hoary SRS proposal to change every SMTP server in the world to make
 them
  match what SPF does ]
 
 Sigh.

I do not want to change every SMTP servers in the world. I just gonna show
an useful option .-)

  Every time a mail arrives that is an SRS address the password and
 timestamp
  could be checked, and faked or outdated recipients could be rejected.
 
 You might want to look at BATV, which has nothing to do with SPF, but
 I have found is quite useful for recognizing spam blowback.


Sure ! For instance If your are providing an mail cluster for your customer
bills, a newsletter server or a cooperated
mail cluster and you know that you are sending emails only to receivers
email boxes BATV is indeed a awesome tool.
 
But if you are performing a shared mail cluster for your webhosting or your
Dial in customers which are using for instance some special kinds of mailing
lists maybe you need a additional solution.

From a reputation perspective Id like the idea to combine a set of anti spam
tools if it is useful.
Indeed MAAWG is not the badest place to learn about.


 R's,
 John
 
 PS:
 
  This message (including any attachments) is the property of FHE3 and
 may
  contain confidential or privileged information. Unauthorized use of
 this
  communication is strictly prohibited and may be unlawful. If you have
  received this communication in error, please immediately notify the
 sender
  by reply e-mail and destroy all copies of the communication and any
  attachments.
 
 Our policy is to send messages with confidentiality notices to all of
 your competitors.

Sure! Im here to learn *** .-)


Cheers

Andre 



 --
Andre Engel

Consulting Program Director, 
Email and Cyber Intelligence Services..no space left on the
device/Kein Weltraum links auf dem Gerät


FHE3 GmbHP: +49 721 869  5907
Scheffelstr. 17a M: +49 160 962 44476 
76135 Karlsruhe


andre.en...@fhe3.com
http://www.fhe3.com/

Amtsgericht Mannheim, HRB 702495
Umsatzsteuer-Ident: DE254677931
Geschäftsführer: Peter Eisenhauer, Michael Feger, Dimitrij Hilt

***
This email is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE ,...

AW: SPF Configurations

[Andre Engel]

Every time a mail arrives that is an SRS address the password and timestamp
could be checked, and faked or outdated recipients could be rejected.

If you asked around drawbacks your right :

SRS generates very long localparts. Mail servers should according to the RFC
accept local parts with at least 63 characters. Most mail servers accept
longer local parts, but unfortunately some won't. For those rare cases it is
possible to configure a list of mail servers for which SRS won't be
accomplished.

 For rants about how badly the world and/or SPF stink, followups to
 Spam-L.  For proposals about other anti-spam magic bullets, followups
 to ASRG.

Indeed Spam-L is the best place to talk about anti-spam . Indeed CII is the
best place to talk about critical infrastructures ,indeed nanog is the best
place to talk about networkstuff but we are mostly operators looking for
a valuable , comfortable solution to protect and share information .

I do not really know if this will be a little off topic .


Cheers

Andre 



 --
Andre Engel

Consulting Program Director, 
Email and Cyber Intelligence Services..ehy my friend we seek
the Grail!



FHE3 GmbHP: +49 721 869  5907
Scheffelstr. 17a M: +49 160 962 44476 
76135 Karlsruhe


andre.en...@fhe3.com
http://www.fhe3.com/

Amtsgericht Mannheim, HRB 702495
Umsatzsteuer-Ident: DE254677931
Geschäftsführer: Peter Eisenhauer, Michael Feger, Dimitrij Hilt


This message (including any attachments) is the property of FHE3 and may
contain confidential or privileged information. Unauthorized use of this
communication is strictly prohibited and may be unlawful. If you have
received this communication in error, please immediately notify the sender
by reply e-mail and destroy all copies of the communication and any
attachments. 


 -Ursprüngliche Nachricht-
 Von: John Levine [mailto:jo...@iecc.com]
 Gesendet: Freitag, 4. Dezember 2009 18:25
 An: nanog@nanog.org
 Betreff: Re: SPF Configurations
 
  If the customer insist on using their domain, then you would have to
 have
  the customer setup an SPF record within their domain that points to
 your
  email server IP blocks.
 
 Right.  The only major mail system that pays attention to SPF is
 Hotmail, but there are enough small poorly run MTAs that use it that
 an SPF record which lists your outbounds and ~all (not -all) can be
 marginally useful to avoid bogus rejections of your mail.

 As everyone here should already know, the fundamental problem with SPF
 is that although it does an OK job of describing the mail sending
 patterns of dedicated bulk mail systems, it can't model the way that
 normal mail systems with human users work.  But so deep is the faith
 of the SPF cult that they blame the world for not matching SPF rather
 than the other way around, believing that it prevent forgery, having
 redefined forgery as whatever it is that SPF prevents.  As the
 operator of one of the world's more heavily forged domains (abuse.net)
 I can report that if you think it prevents forgery blowback, you are
 mistaken.
 




 For rants about how badly the world and/or SPF stink, followups to
 Spam-L.  For proposals about other anti-spam magic bullets, followups
 to ASRG.
 
 R's,
 John
 
 

Re: ATT SMTP Admin contact?

[Andre Engel]

 -Ursprüngliche Nachricht-
 Von: Chris Owen [mailto:ow...@hubris.net]
 Gesendet: Donnerstag, 3. Dezember 2009 07:25
 An: NANOG list
 Betreff: Re: ATT SMTP Admin contact?
 
 On Dec 2, 2009, at 9:52 PM, valdis.kletni...@vt.edu wrote:
 
  It only stops forgery if the SPF record has a -all in it (as
 hubris.net does).
  However, a lot of domains (mine included) have a ~all instead.
 
 I guess I've never really seen the point of publishing a SPF record if
 it ends in ~all.  What are people supposed to do with that info?

For instance some ISPs or Freemail providers give their customers the
possibility to use SPF as a value added service to decide if senders
domain should be dropped in theirs suspicious-folders or not .

I also learned that SPF is qualified for senders reputation :
http://www.ceas.cc/2006/19.pdf
  
 Spamassassin assigns it a score of 0.6 but that is low enough it really
 doesn't have much since it doesn't assign any negative points for
 SPF_PASS.
  (And before anybody asks, yes ~all is what we want, and no you can't
 ask us
  to try -all instead, unless we're allowed to send you all the
 helpdesk calls
  about misconfigured migratory laptops.. ;)
 I certainly understand that you may not be able to lock down your
 domain.  We don't even try for customers for instance.However, if
 you can't, I guess I don't really see what good publishing a SPF record
 is if you tell people not to enforce it.


MAAWG published a document around : Trust in Email begins with
Authentication

http://www.maawg.org/about/publishedDocuments/MAAWG_Email_Authentication_Pap
er_2008-07.pdf
 
 Chris
 
 ---
 --
 Chris Owen - Garden City (620) 275-1900 -  Lottery (noun):
 President  - Wichita (316) 858-3000 -A stupidity tax
 Hubris Communications Inc  www.hubris.net
 ---
 --
 


Cheers

Andre 



 --
Andre Engel

Consulting Program Director, 
Email and Cyber Intelligence Services..no ghost just a shell



FHE3 GmbHP: +49 721 869  5907
Scheffelstr. 17a M: +49 160 962 44476 
76135 Karlsruhe


andre.en...@fhe3.com
http://www.fhe3.com/

Amtsgericht Mannheim, HRB 702495
Umsatzsteuer-Ident: DE254677931
Geschäftsführer: Peter Eisenhauer, Michael Feger, Dimitrij Hilt


This message (including any attachments) is the property of FHE3 and may
contain confidential or privileged information. Unauthorized use of this
communication is strictly prohibited and may be unlawful. If you have
received this communication in error, please immediately notify the sender
by reply e-mail and destroy all copies of the communication and any
attachments.