[milters] Archive

Lists Index Date Thread Search

Article: 640
From: Anthony Howe
Date: 2005-07-06 02:02:07 -0400
Subject: Re: New milter-spiff : A SPF-Classic implementation.

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support

Michael Elliott wrote:
>>Sendmail supports a DISCARD in the access.db and as a milter action. I 
>>personally never use that prefering rejection or tagging. Yes. People 
>>can shoot themselve in the foot with any discard option, but there will 
>>always be someone who wants that flexibity to decide and experiment.
> As a selective match.  You are suggesting using it as a default case. 

Huh? Where? I make no such recommendation. For -H and -M there is text like:

	A reasonable setting might be -H softfail-tag,fail-reject.

No mention of using either *-discard choices. The default action for 
BOTH -H and -M is simply adding Received-SPF: headers with no action 
taken, not even tagging.

> Please just add some red text that using discard is not advised because
> the mail disappears into a blackhole without sender or receiver's knowledge.
> It should only be used on known bad spammers/viruses.

>>Thats a local policy choice.
>>RFC 2821 states the DSN null address must be accepted and there are 
>>clear reasons why, but people still choose to block MAIL FROM:<> for 
>>local policy reasons, which I'm very very much against. I however had to 
>>finally conceed that there will be sites that think blocking <> is 
>>clever and so implemented MxCallBackDsnBlocked in milter-sender as a 
>>means to fall-back on the grey-listing.
> Again, add some warning text that softfail reject is against the domain 
> owner's wishes and will cause legitimate email to die.

I could, but users should be reading the Internet draft documents how to 
specify their SPF records and understanding what SPF is about.

A ~all leaves your domain(s) still open to spammer sender forgery and is 
next to useless only by nanometers. Essentially by publishing an SPF 
record with an ~all final choice, you've caused a pile of extra DNS 
lookups (at least extra per a, ptr, mx, include, exists, and/or redirect 
mechanism used), might have said where things do come from for certain, 
and then bail at the very last by stating ~all. Essentially ~all is no 
better than if you had no SPF records at all.

As I recall ~all is a migration & testing path setting. Domain owners 
can state what they know and/or testing under SPF, but ~all is their 
recommendation. Its an inbound postmaster's choice to honour that or 
impose stricter choices as they see fit. That is why my suggested 
settings for -H and -M are :

	-M softfail-tag,fail-reject

which reflects the SPF spec. recommendations.

And since many spammers use SPF records, in and of itself is not an 
anti-spam tool as originally conceived. SPF is an anti-philishing tool. 
I wrote a length USENIX/SAGE ;login: article on anti-spam that came out 
last month where I discussed this and other methods.

Anthony C Howe                                 +33 6 11 89 73 78
http://www.snert.com/       ICQ:
7116561         AIM: Sir Wumpus

Sendmail Anti-Spam Solutions           http://www.snertsoft.com/
                                             We Serve Your Server

Lists Index Date Thread Search