From: Anthony Howe
Date: 2005-07-06 02:02:07 -0400
Subject: Re: New milter-spiff : A SPF-Classic implementation.
More information..: http://www.milter.info/#Support
Michael Elliott wrote:
>>Sendmail supports a DISCARD in the access.db and as a milter action. I
>>personally never use that prefering rejection or tagging. Yes. People
>>can shoot themselve in the foot with any discard option, but there will
>>always be someone who wants that flexibity to decide and experiment.
> As a selective match. You are suggesting using it as a default case.
Huh? Where? I make no such recommendation. For -H and -M there is text like:
A reasonable setting might be -H softfail-tag,fail-reject.
No mention of using either *-discard choices. The default action for
BOTH -H and -M is simply adding Received-SPF: headers with no action
taken, not even tagging.
> Please just add some red text that using discard is not advised because
> the mail disappears into a blackhole without sender or receiver's knowledge.
> It should only be used on known bad spammers/viruses.
>>Thats a local policy choice.
>>RFC 2821 states the DSN null address must be accepted and there are
>>clear reasons why, but people still choose to block MAIL FROM:<> for
>>local policy reasons, which I'm very very much against. I however had to
>>finally conceed that there will be sites that think blocking <> is
>>clever and so implemented MxCallBackDsnBlocked in milter-sender as a
>>means to fall-back on the grey-listing.
> Again, add some warning text that softfail reject is against the domain
> owner's wishes and will cause legitimate email to die.
I could, but users should be reading the Internet draft documents how to
specify their SPF records and understanding what SPF is about.
A ~all leaves your domain(s) still open to spammer sender forgery and is
next to useless only by nanometers. Essentially by publishing an SPF
record with an ~all final choice, you've caused a pile of extra DNS
lookups (at least extra per a, ptr, mx, include, exists, and/or redirect
mechanism used), might have said where things do come from for certain,
and then bail at the very last by stating ~all. Essentially ~all is no
better than if you had no SPF records at all.
As I recall ~all is a migration & testing path setting. Domain owners
can state what they know and/or testing under SPF, but ~all is their
recommendation. Its an inbound postmaster's choice to honour that or
impose stricter choices as they see fit. That is why my suggested
settings for -H and -M are :
which reflects the SPF spec. recommendations.
And since many spammers use SPF records, in and of itself is not an
anti-spam tool as originally conceived. SPF is an anti-philishing tool.
I wrote a length USENIX/SAGE ;login: article on anti-spam that came out
last month where I discussed this and other methods.
Anthony C Howe +33 6 11 89 73 78
7116561 AIM: Sir Wumpus
Sendmail Anti-Spam Solutions http://www.snertsoft.com/
We Serve Your Server
Copyright 2009, 2012 by SnertSoft. All rights reserved.