[Asrg] Re: Disaster looming: SPF

[Frank Ellermann <nobody at xyzzy.claranet.de>]

Matthew Elvey wrote:

>> SPF is simply a way to enumerate all IPs of
>> MTAs using HELO do.ma.in or MAIL FROM:<user at do.ma.in>

> The drafts claim to do a lot more than that.

The essence is PASS - INCONCLUSIVE - FAIL, and for a given
domain and SMTP dialogue any IP is in exactly one of these
sets.  Yes, the drafts allow to construct per-user-policies
where the LHS can play a role, and there are a lot of more
or less useful subcategries of INCONCLUSIVE like "none",
"unknown", "softfail", "temperror", and "permerror", but
the essence is PASS - INCONCLUSIVE - FAIL.

> SPF is marketed as a way to identify and discard junk email.

That's like most marketing beside the point.  I'm very unhappy
if somebody markets SPF as FUSSP, because it's not.  Getting a
PASS is easy, only a PASS in cojunction with white lists makes
sense.  The real power of SPF as stand-alone solution is FAIL.
Spammers can avoid a SPF FAIL.  That's no bug, that's the idea.

>> How do you define "power user", direct-to-MX maybe ?
> No, see comment*.

If your definition of "power user" is "anybody with more than
one address", then my vintage '97 MUA has no problem with SPF:

I just write mails using From: nobody at xyzzy and collect it in
a file "outbox".  And when I'm online I send it.  My MUA then
automatically uses the MAIL FROM corresponding to the account.

Why should I say MAIL FROM:<nobody at xyzzy> when sending via
mailto.t-online.de ?  BTW, even if I'd try this stunt the MSA
would automatically patch both 2821 and 2822 From.
  
Another MSA I've used until Nov 30 was mail2.hamburg.de, it
insisted on a MAIL FROM:<f-e at hamburg>  It was impossible for
me to get it wrong (enforced submission rights, see RfC 2476).

The one relay where I have a chance to screw up supports SMTP
AUTH and then allows any MAIL FROM.  But if I select the user
profile for this relay I can again send any mail in my "outbox"
with the correct MAIL FROM:<my.address at 4th.provider.example>

But IMHO all this has nothing to do with a "power user", it's
obvious, you can't use your ebay password at amazon and v.v.,
even kids would understand this (after two simple tests ;-)

> elvey.com has an SPF record with a ~all

Yes, ~all (SOFTFAIL) is IMNSHO a bad idea in SPF, test -all if
you want real FAILs.  It worked for me (after about 4 months),
back from daily 1000 to zero bogus bounces / challenges / etc.

                        Bye, Frank



_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg