[milters] Archive

Lists Index Date Thread Search

Article: 639
From: Michael Elliott
Date: 2005-07-05 18:27:09 -0400
Subject: Re: more private Re: New milter-spiff : A SPF-Classic implementation.

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

> Removal...........: milters-request@milter.info?subject=remove
> More information..: http://www.milter.info/#Support
> --------------------------------------------------------
> 
> Michael Elliott wrote:
> > One more thing.  A heavy vote against fail-discard, and even more
> > so against softfail-reject and softfail-discard.  
> > 
> > *-Discard means that the sending ISP tech sees a "status ok, message
sent"
> > and the message never gets to the destination.  I get about 2 service
> > calls a week on stuff like that, and it makes it a bitch to trace.
> > The milter is during the smtp session.  So, either accept conclusively, 
> > or reject conclusively, don't leave a limbo case.
> 
> Sendmail supports a DISCARD in the access.db and as a milter action. I 
> personally never use that prefering rejection or tagging. Yes. People 
> can shoot themselve in the foot with any discard option, but there will 
> always be someone who wants that flexibity to decide and experiment.

As a selective match.  You are suggesting using it as a default case. 
Please just add some red text that using discard is not advised because
the mail disappears into a blackhole without sender or receiver's knowledge.
It should only be used on known bad spammers/viruses.

> 
> > Per the spec, softfail should be accepted and subjected to more
> > filtering scrutiny.  It should not be rejected.  Specific examples
> 
> Thats a local policy choice.
> 
> RFC 2821 states the DSN null address must be accepted and there are 
> clear reasons why, but people still choose to block MAIL FROM:<> for 
> local policy reasons, which I'm very very much against. I however had to 
> finally conceed that there will be sites that think blocking <> is 
> clever and so implemented MxCallBackDsnBlocked in milter-sender as a 
> means to fall-back on the grey-listing.

Again, add some warning text that softfail reject is against the domain 
owner's wishes and will cause legitimate email to die.

> 
> > are hotmail.com and aol.com.  Both are easily processed by milter-sender
> > to verify that the users exist.  But, if milter-spiff rejects the mail,
> > you are dumping legit mail.  My logs show 20% of the softfails from those
> > two domains are killed by sendercallback.  Therefore, 80% is legit.
> > Don't give the sysadmin that much rope to hang himself with.  If you do,
> > at least give red warning signs saying that it goes beyond the spec and 
> > domain publisher's wishes.  
> 
> Rope, matches, projectile weapons, and discard. Its a choice. The gene 
> pool will tend to itself.

Most in the gene pool are not smart enough to swim in the deep end.  
Labeling them more clear will help new users to not drown in a lack
of information.  If you don't have the "no diving in the shallow end"
sign up, they will do it and wonder why they hit their head.  Then they 
blame you.

I suggest:
 blue     fail-none		accept fails
 blue     fail-tag		Tag the subject on a Fail result.	
 green    fail-reject		Reject the message on a Fail result.	
 orange   fail-discard		Discard the message on a Fail result.	
 green    softfail-none    	accept softfails
 blue     softfail-tag		Tag the subject on a SoftFail result.	
 red      softfail-reject	Reject the message on a SoftFail result.	
 orange   softfail-discard	Discard the message on a SoftFail result.

With a table below of 
 green is for use as the SPF spec is designed.
 blue  is for marking the mail only in an informational way so you could
       see what would have been done. 
 red   goes beyond SPF specifications and will delete mail the policy
       writer wishes to have delivered.  Will cause legitimate mail to die.
       Specifically, user@hotmail.com sent via an ISP will be rejected.
       Use of the milter-sender to validate the sender is a better alternative.
orange is complete overkill because the mail disappears into a blackhole.
       This option is included only for completeness of all possibilites.


I have more comments for your other mail.  I will send them shortly.
Here is the log of domains that I have received mail from that are 
using the macros.  Cheatahmail.com is a large portion of it, but is 
also the outsource provider of email to a lot of large corporations.

alibris.i.delivery.net descriptive text "v=spf1 ip4:209.10.220.64/28
ip4:209.10.200.0/26 ip4:209.11.133.128/26 ip4:209.11.136.0/22 ip4:209.11.164.0/22
ip4:64.85.70.0/27 ip4:69.20.127.139/32 ip4:69.20.127.148/32 mx a
+exists:CL.%{i}.FR.%{s}.spf.mmtrack.net ~all"
autodesk.com descriptive text "v=spf1 exists:%{ir}.%{l1r+-}._spf.%{d} ?all"
b.a.chtah.com descriptive text "v=spf1 ptr:a.chtah.com ptr:cheetahmail.com
+exists:i%{i}.f%{s}.p.s.chtah.com ?all"
b.circuitcity.chtah.com descriptive text "v=spf1 ptr:circuitcity.chtah.com
ptr:cheetahmail.com +exists:i%{i}.f%{s}.p.s.chtah.com ?all"
b.colorfulimages.chtah.com descriptive text "v=spf1 ptr:colorfulimages.chtah.com
ptr:cheetahmail.com +exists:i%{i}.f%{s}.p.s.chtah.com ?all"
b.corbis.chtah.com descriptive text "v=spf1 ptr:corbis.chtah.com ptr:cheetahmail.com
+exists:i%{i}.f%{s}.p.s.chtah.com ?all"
b.deluxe.chtah.com descriptive text "v=spf1 ptr:deluxe.chtah.com ptr:cheetahmail.com
+exists:i%{i}.f%{s}.p.s.chtah.com ?all"
b.discovery.chtah.com descriptive text "v=spf1 ptr:discovery.chtah.com
ptr:cheetahmail.com +exists:i%{i}.f%{s}.p.s.chtah.com ?all"
b.dmnews.chtah.com descriptive text "v=spf1 ptr:dmnews.chtah.com ptr:cheetahmail.com
+exists:i%{i}.f%{s}.p.s.chtah.com ?all"
b.hellodirect.chtah.com descriptive text "v=spf1 ptr:hellodirect.chtah.com
ptr:cheetahmail.com +exists:i%{i}.f%{s}.p.s.chtah.com ?all"
b.hotels.chtah.com descriptive text "v=spf1 ptr:hotels.chtah.com ptr:cheetahmail.com
+exists:i%{i}.f%{s}.p.s.chtah.com ?all"
b.ng.chtah.com descriptive text "v=spf1 ptr:ng.chtah.com ptr:cheetahmail.com
+exists:i%{i}.f%{s}.p.s.chtah.com ?all"
b.paperdirect.chtah.com descriptive text "v=spf1 ptr:paperdirect.chtah.com
ptr:cheetahmail.com +exists:i%{i}.f%{s}.p.s.chtah.com ?all"
b.restorationhardware.chtah.com descriptive text "v=spf1
ptr:restorationhardware.chtah.com ptr:cheetahmail.com +exists:i%{i}.f%{s}.p.s.chtah.com
?all"
b.shoeline.chtah.com descriptive text "v=spf1 ptr:shoeline.chtah.com
ptr:cheetahmail.com +exists:i%{i}.f%{s}.p.s.chtah.com ?all"
b.spiegel.chtah.com descriptive text "v=spf1 ptr:spiegel.chtah.com
ptr:cheetahmail.com +exists:i%{i}.f%{s}.p.s.chtah.com ?all"
b.starbucks.chtah.com descriptive text "v=spf1 ptr:starbucks.chtah.com
ptr:cheetahmail.com +exists:i%{i}.f%{s}.p.s.chtah.com ?all"
b.vantagetravel.chtah.com descriptive text "v=spf1 ptr:vantagetravel.chtah.com
ptr:cheetahmail.com +exists:i%{i}.f%{s}.p.s.chtah.com ?all"
b.weddingchannel.chtah.com descriptive text "v=spf1 ptr:weddingchannel.chtah.com
ptr:cheetahmail.com +exists:i%{i}.f%{s}.p.s.chtah.com ?all"
b.westaff.chtah.com descriptive text "v=spf1 ptr:westaff.chtah.com
ptr:cheetahmail.com +exists:i%{i}.f%{s}.p.s.chtah.com ?all"
b.williams-sonoma.chtah.com descriptive text "v=spf1 ptr:williams-sonoma.chtah.com
ptr:cheetahmail.com +exists:i%{i}.f%{s}.p.s.chtah.com ?all"
cvs.m0.net descriptive text "v=spf1 ip4:209.10.220.64/28 ip4:209.10.200.0/26
ip4:209.11.133.128/26 ip4:209.11.136.0/22 ip4:209.11.164.0/22 ip4:64.85.70.0/27
ip4:69.20.127.139/32 ip4:69.20.127.148/32 mx a +exists:CL.%{i}.FR.%{s}.spf.mmtrack.net
~all"
dell.m0.net descriptive text "v=spf1 ip4:209.10.220.64/28 ip4:209.10.200.0/26
ip4:209.11.133.128/26 ip4:209.11.136.0/22 ip4:209.11.164.0/22 ip4:64.85.70.0/27
ip4:69.20.127.139/32 ip4:69.20.127.148/32 mx a +exists:CL.%{i}.FR.%{s}.spf.mmtrack.net
~all"
gap.m0.net descriptive text "v=spf1 ip4:209.10.220.64/28 ip4:209.10.200.0/26
ip4:209.11.133.128/26 ip4:209.11.136.0/22 ip4:209.11.164.0/22 ip4:64.85.70.0/27
ip4:69.20.127.139/32 ip4:69.20.127.148/32 mx a +exists:CL.%{i}.FR.%{s}.spf.mmtrack.net
~all"
lacaixa.es descriptive text "v=spf1 ip4:213.229.186.16 ip4:217.16.255.27
ip4:217.16.255.28 ip4:217.148.73.101 ip4:217.148.73.105 ip4:217.148.73.109 mx
exists:%{s}.S.%{i}.I.spflog.lacaixa.com -all"
m.dollar.chtah.com descriptive text "v=spf1 ptr:dollar.chtah.com ptr:cheetahmail.com
+exists:i%{i}.f%{s}.p.s.chtah.com ?all"
marriott.m0.net descriptive text "v=spf1 ip4:209.10.220.64/28 ip4:209.10.200.0/26
ip4:209.11.133.128/26 ip4:209.11.136.0/22 ip4:209.11.164.0/22 ip4:64.85.70.0/27
ip4:69.20.127.139/32 ip4:69.20.127.148/32 mx a +exists:CL.%{i}.FR.%{s}.spf.mmtrack.net
~all"
narod.ru descriptive text "v=spf1 ip4:213.180.192.0/19
-exists:%{l}.%{ir}.narod.spf-check.yandex.ru ?all"
nextel.delivery.net descriptive text "v=spf1 ip4:209.10.220.64/28 ip4:209.10.200.0/26
ip4:209.11.133.128/26 ip4:209.11.136.0/22 ip4:209.11.164.0/22 ip4:64.85.70.0/27
ip4:69.20.127.139/32 ip4:69.20.127.148/32 mx a +exists:CL.%{i}.FR.%{s}.spf.mmtrack.net
~all"
oldnavy.m0.net descriptive text "v=spf1 ip4:209.10.220.64/28 ip4:209.10.200.0/26
ip4:209.11.133.128/26 ip4:209.11.136.0/22 ip4:209.11.164.0/22 ip4:64.85.70.0/27
ip4:69.20.127.139/32 ip4:69.20.127.148/32 mx a +exists:CL.%{i}.FR.%{s}.spf.mmtrack.net
~all"
out.returnpath.net descriptive text "spf2.0/pra ptr:returnpath.net
ptr:assurancesys.com ptr:hotbank.com ptr:rightnowtech.com ptr:returnpathny.com
ip4:67.93.140.147 ip4:206.61.185.35 exists:IP%{i}.H%{h}.D%{d}.2.2.eim.bz ~all"
out.returnpath.net descriptive text "v=spf1 ptr:returnpath.net ptr:assurancesys.com
ptr:hotbank.com ptr:rightnowtech.com ptr:returnpathny.com ip4:67.93.140.147
ip4:206.61.185.35 exists:IP%{i}.H%{h}.D%{d}.2.1.eim.bz ~all"
pobox.com descriptive text "v=spf1 mx mx:fallback-relay.%{d} a:webmail.%{d}
a:smtp.%{d} a:outgoing.smtp.%{d} a:discard-reports.%{d} a:discards.%{d} mx:stor"
"e.discard.%{d} a:emerald.%{d} redirect=%{l1r+}._at_.%{o}._spf.%{d}"
priceline.delivery.net descriptive text "v=spf1 ip4:209.10.220.64/28
ip4:209.10.200.0/26 ip4:209.11.133.128/26 ip4:209.11.136.0/22 ip4:209.11.164.0/22
ip4:64.85.70.0/27 ip4:69.20.127.139/32 ip4:69.20.127.148/32 mx a
+exists:CL.%{i}.FR.%{s}.spf.mmtrack.net ~all"
rambler.ru descriptive text "v=spf1 mx a:mx0.rambler.ru a:mxb.rambler.ru
a:mxc.rambler.ru -exists:%{ir}.spf.rambler.ru -exists:%{l}.u.spf.rambler.ru ~all"
stg.com descriptive text "v=spf1 a mx a:flotsam.stg.com a:mcbain.stg.com
exists:%{l}.%{i}._spf.stg.com ~all"
terra.com.br descriptive text "v=spf1 ip4:200.154.55.0/24 ip4:200.176.2.0/23
ip4:200.176.10.0/23 include:tmp-spf.terra.com.br include:ti-spf.terra.com.br
include:te-spf.terra.com.br exists:%{i}.%{l}.spf.terra.com.br ~all"
yandex.ru descriptive text "v=spf1 ip4:213.180.192.0/19
-exists:%{l}.%{ir}.yandex.spf-check.yandex.ru ?all"

-Mike Elliott
Msen Sysadmin

> 
> -- 
> Anthony C Howe                                 +33 6 11 89 73 78
> http://www.snert.com/       ICQ:
7116561         AIM: Sir Wumpus
> 
> Sendmail Anti-Spam Solutions           http://www.snertsoft.com/
>                                              We Serve Your Server

Lists Index Date Thread Search