[SATLUG] Fwd: Undelivered Mail Returned to Sender

Bob Tracy rct at gherkin.frus.com
Sat Feb 10 11:42:26 CST 2007 

Brad Knowles wrote:
> At 12:52 AM -0600 2/10/07, Bob Tracy wrote:
> 
> >  (3) Check for SPF records: whoops!  None defined for shub-internet.org.
> 
> Nope.  SPF is inherently broken.  We've known this for years.  And I 
> mean years.

I've heard this assertion parroted by many without a supporting explanation.
Simply claiming brokenness in the same manner people did for SKIP during the
IPv4 IPsec implementation wars of the 90's isn't a convincing argument.
I checked the link you provided:
<http://bradknowles.typepad.com/considered_harmful/2004/05/spf.html>.
I might have missed something, but saw nothing I hadn't seen before on
the subject.

I've never bought the line of reasoning that says thus and such shouldn't
be used because the underlying technology is imperfect.  In this
particular case, the old argument against using SPF because of the
insecure (unreliable?) DNS underpinnings doesn't wash.  People haven't
quit using DNS, and the security issues are increasingly being addressed.
Everything else is "nostalgia" for the way the Internet used to exist in
the days before AOL.  RFC-compliant mailers recognize relay-format
addresses, but you would be hard-pressed today to find an SMTP server
that allows relays.  The spammers have ruined a lot of things :-(.  On
the plus side, I reiterate that spammers are inherently lazy.  Poisoning
DNS caches is certainly possible, but requires effort, and is a bit like
peeing in the swimming pool: the perp doesn't get away clean -- everyone
suffers.

> >  I suppose I could have somehow inferred that an "arbitrary" his.com
> >  host is a legitimate delivery agent for shub-internet.org e-mail based
> >  on the MX records, but that's stretching things a bit.
> 
> Uh, like that would be the default that you should assume for any 
> domain that does not have SPF records.  Check RFC 4408, section 2.5.1.

The experimental status RFC 4408 sayeth in that section:

	2.5.1.  None

	A result of "None" means that no records were published by
	the domain or that no checkable sender domain could be
	determined from the given identity. The checking software
	cannot ascertain whether or not the client host is authorized. 

There is no MAY, MUST, or SHOULD clause in the above that indicates any
particular action an RFC4408-compliant SMTP server may, must, or should
take when a particular sender domain has no associated SPF records.  It
simply states the obvious, i.e., that the checking software cannot
ascertain whether or not the client host is authorized ON THE BASIS OF
SPF (capitalized words added for emphasis, because SPF isn't the only
envelope test method available).  That makes it a local policy decision
for the owner / operator of the SMTP server.  My local policy decision
is to employ other tests on the envelope.

> You should not be insisting that all domains be SPF-compliant in 
> order to send e-mail to you.  At least, not if you want to get any 
> e-mail from anyone, that is.

I don't insist on SPF-compliance, however you define it, because not
having an SPF record is both legitimate and in compliance with the
experimental RFC.  I simply elect to apply other criteria in the
absence of SPF records to attempt to determine whether the delivery host
is somehow affiliated with the sender's domain.

> I've got a six-part series on the best current practice in 
> spamfighting methods that will soon be published on the LOPSA.org 
> website.  I'll be glad to share a copy with you in advance, if you 
> will agree to disable SPF on your MTA, and share your feedback with 
> me.

Please reread my explanation of what happened to you: SPF didn't spear
you -- my additional envelope checks employed in the absence of SPF did.
The best I can do for you is put your posting sender address (omitted
here to avoid giving even minimal help to would-be spammers) in a
whitelist, which I have done.  I welcome the opportunity to review your
spamfighting series and provide feedback.  Methinks our common ground is
far more important than our current disagreement.

-- 
-----------------------------------------------------------------------
Bob Tracy                   WTO + WIPO = DMCA? http://www.anti-dmca.org
rct at frus.com
-----------------------------------------------------------------------

More information about the SATLUG mailing list