AW: AW: SPF Configurations
John, -Ursprüngliche Nachricht- Von: John R. Levine [mailto:jo...@iecc.com] Gesendet: Samstag, 5. Dezember 2009 01:54 An: Andre Engel Cc: nanog@nanog.org Betreff: Re: AW: SPF Configurations Right. The only major mail system that pays attention to SPF is Hotmail, but there are enough small poorly run MTAs that use it that an SPF record which lists your outbounds and ~all (not -all) can be marginally useful to avoid bogus rejections of your mail. For example : [ various large ISPs that publish SPF ] Perhaps this is a language problem. In English, publishes is not a synonym for pays attention to. As I said, you need to publish SPF to get mail into Hotmail. That's why people do it. As I said im almost german :-) Some major providers ,11 for example, assigned their customers the responsibility to pay attention on SPF for getting mails into their boxes.(decision between suspicious or not) I know there is a problem so far with forwarded emails but there is also a solution : [ hoary SRS proposal to change every SMTP server in the world to make them match what SPF does ] Sigh. I do not want to change every SMTP servers in the world. I just gonna show an useful option .-) Every time a mail arrives that is an SRS address the password and timestamp could be checked, and faked or outdated recipients could be rejected. You might want to look at BATV, which has nothing to do with SPF, but I have found is quite useful for recognizing spam blowback. Sure ! For instance If your are providing an mail cluster for your customer bills, a newsletter server or a cooperated mail cluster and you know that you are sending emails only to receivers email boxes BATV is indeed a awesome tool. But if you are performing a shared mail cluster for your webhosting or your Dial in customers which are using for instance some special kinds of mailing lists maybe you need a additional solution. From a reputation perspective Id like the idea to combine a set of anti spam tools if it is useful. Indeed MAAWG is not the badest place to learn about. R's, John PS: This message (including any attachments) is the property of FHE3 and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. Our policy is to send messages with confidentiality notices to all of your competitors. Sure! Im here to learn *** .-) Cheers Andre -- Andre Engel Consulting Program Director, Email and Cyber Intelligence Services..no space left on the device/Kein Weltraum links auf dem Gerät FHE3 GmbHP: +49 721 869 5907 Scheffelstr. 17a M: +49 160 962 44476 76135 Karlsruhe andre.en...@fhe3.com http://www.fhe3.com/ Amtsgericht Mannheim, HRB 702495 Umsatzsteuer-Ident: DE254677931 Geschäftsführer: Peter Eisenhauer, Michael Feger, Dimitrij Hilt *** This email is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE ,...
AW: SPF Configurations
Every time a mail arrives that is an SRS address the password and timestamp could be checked, and faked or outdated recipients could be rejected. If you asked around drawbacks your right : SRS generates very long localparts. Mail servers should according to the RFC accept local parts with at least 63 characters. Most mail servers accept longer local parts, but unfortunately some won't. For those rare cases it is possible to configure a list of mail servers for which SRS won't be accomplished. For rants about how badly the world and/or SPF stink, followups to Spam-L. For proposals about other anti-spam magic bullets, followups to ASRG. Indeed Spam-L is the best place to talk about anti-spam . Indeed CII is the best place to talk about critical infrastructures ,indeed nanog is the best place to talk about networkstuff but we are mostly operators looking for a valuable , comfortable solution to protect and share information . I do not really know if this will be a little off topic . Cheers Andre -- Andre Engel Consulting Program Director, Email and Cyber Intelligence Services..ehy my friend we seek the Grail! FHE3 GmbHP: +49 721 869 5907 Scheffelstr. 17a M: +49 160 962 44476 76135 Karlsruhe andre.en...@fhe3.com http://www.fhe3.com/ Amtsgericht Mannheim, HRB 702495 Umsatzsteuer-Ident: DE254677931 Geschäftsführer: Peter Eisenhauer, Michael Feger, Dimitrij Hilt This message (including any attachments) is the property of FHE3 and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. -Ursprüngliche Nachricht- Von: John Levine [mailto:jo...@iecc.com] Gesendet: Freitag, 4. Dezember 2009 18:25 An: nanog@nanog.org Betreff: Re: SPF Configurations If the customer insist on using their domain, then you would have to have the customer setup an SPF record within their domain that points to your email server IP blocks. Right. The only major mail system that pays attention to SPF is Hotmail, but there are enough small poorly run MTAs that use it that an SPF record which lists your outbounds and ~all (not -all) can be marginally useful to avoid bogus rejections of your mail. As everyone here should already know, the fundamental problem with SPF is that although it does an OK job of describing the mail sending patterns of dedicated bulk mail systems, it can't model the way that normal mail systems with human users work. But so deep is the faith of the SPF cult that they blame the world for not matching SPF rather than the other way around, believing that it prevent forgery, having redefined forgery as whatever it is that SPF prevents. As the operator of one of the world's more heavily forged domains (abuse.net) I can report that if you think it prevents forgery blowback, you are mistaken. For rants about how badly the world and/or SPF stink, followups to Spam-L. For proposals about other anti-spam magic bullets, followups to ASRG. R's, John
Re: ATT SMTP Admin contact?
-Ursprüngliche Nachricht- Von: Chris Owen [mailto:ow...@hubris.net] Gesendet: Donnerstag, 3. Dezember 2009 07:25 An: NANOG list Betreff: Re: ATT SMTP Admin contact? On Dec 2, 2009, at 9:52 PM, valdis.kletni...@vt.edu wrote: It only stops forgery if the SPF record has a -all in it (as hubris.net does). However, a lot of domains (mine included) have a ~all instead. I guess I've never really seen the point of publishing a SPF record if it ends in ~all. What are people supposed to do with that info? For instance some ISPs or Freemail providers give their customers the possibility to use SPF as a value added service to decide if senders domain should be dropped in theirs suspicious-folders or not . I also learned that SPF is qualified for senders reputation : http://www.ceas.cc/2006/19.pdf Spamassassin assigns it a score of 0.6 but that is low enough it really doesn't have much since it doesn't assign any negative points for SPF_PASS. (And before anybody asks, yes ~all is what we want, and no you can't ask us to try -all instead, unless we're allowed to send you all the helpdesk calls about misconfigured migratory laptops.. ;) I certainly understand that you may not be able to lock down your domain. We don't even try for customers for instance.However, if you can't, I guess I don't really see what good publishing a SPF record is if you tell people not to enforce it. MAAWG published a document around : Trust in Email begins with Authentication http://www.maawg.org/about/publishedDocuments/MAAWG_Email_Authentication_Pap er_2008-07.pdf Chris --- -- Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 -A stupidity tax Hubris Communications Inc www.hubris.net --- -- Cheers Andre -- Andre Engel Consulting Program Director, Email and Cyber Intelligence Services..no ghost just a shell FHE3 GmbHP: +49 721 869 5907 Scheffelstr. 17a M: +49 160 962 44476 76135 Karlsruhe andre.en...@fhe3.com http://www.fhe3.com/ Amtsgericht Mannheim, HRB 702495 Umsatzsteuer-Ident: DE254677931 Geschäftsführer: Peter Eisenhauer, Michael Feger, Dimitrij Hilt This message (including any attachments) is the property of FHE3 and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.