headers
Gary Levell | 1 Jul 2004 01:09

RE: Clarification of %{p} macro & 4.6 Ptr validated domain resolution

Meng Weng Wong wrote:

>Perhaps this is a stupid question, but can't you use %{o}?

Actually, after thinking about it, an "exists:" macro without an %{i} or %{p}
is an unsafe mechanism to use. 

All the possible domain permutations from a completely static one through to
a fully dynamic one are spoofable because the client IP is not involved in
the expansion of the domain macro.

So, for our product, in addition to detection (and optional rejection) of
messages from domains who publish "+all" and "ip4", "ip6", "a" & "mx"
mechanisms with large CIDR blocks, it looks like I need to detect "exists"
that don't contain %{i} or %{p} macros. Or indeed %{i/p<n>} where n<3.

Inevitably, spammers are just going to move from no policy to "v=spf1 +all"
through "v=spf1 +a/0 -all" through to "v=spf1 exists:spammerparadise.com
-all" and finally to something like "v=spf1 exists:{%i1}.spammerparadise.com
-all".

-Gary
Permalink | Reply | 7 comments |
headers
Frank Ellermann | 1 Jul 2004 01:54
Picon
Picon

wizard.html problems (was: What does PASS really mean?)

spf <at> kitterman.com wrote:

> include: should only be used if the domain to be included
> has actually published an SPF record.  Is it possible to
> have the wizard check the include domain for an SPF record?

Are you sure that the wizard generates an "include" at all ?

I tried to check arbitrary sender policies, but apparently
that's not supported.  You can test existing policies with
<http://spf.pobox.com/why.html?debug=1>, but I haven't found
a way to check arbitrary policies (without a domain for tests).

Oops, at the moment my browser is unable to display wizard.html
- and the W3C validator misses an </a> in line 41, and a </div>
in line 42 (or 43).  

There might be also an incorrect nesting later, something like
<form>...<table>...</form>...</table> (or v.v.), that's a case
where my browser tends to give up (displaying an empty page).

                          Bye, Frank
Permalink | Reply | 13 comments |
headers
bulk72804 | 1 Jul 2004 03:14

register.com and SPF advocacy


The last discussion of register.com I saw in the archives was in
January.  I just had a similar experience trying to add SPF
records for my domains.

I know I could move my DNS to zoneedit or something, but that
seems like letting register.com off the hook.  Moving the domains
to another registrar, as mentioned previously, would be a pain.

Register.com claims to manage 3 million, so this would seem to be
a major advocacy issue for SPF supporters.  Not an issue to be
ignored or lightly dismissed.  Convincing register.com not just
to support TXT records, but to maybe even add a version of the
SPF wizard that helps users update the records would be a huge
boost to SPF adoption.

Make it easy, and they will come.

Chris
Permalink | Reply | 3 comments |
headers
Mark | 1 Jul 2004 04:04

Re: milter-spf 1.41: Failed to set timeout value!

Jeff A. Earickson wrote:

> Hi,
>    New to the list...  I was trying to get milter-spf 1.41
> working with sendmail 8.13.0 (solaris 9, perl 5.8.4 built as
> sun4-solaris-thread-multi, installed Sendmail-PMilter-0.93 instead
> of Sendmail-Milter-0.18 which does not build on solaris).
> I followed the install instructions: got the needed perl modules
> installed, got my sendmail.cf modified, stopped sendmail, and did:
>
> /etc/mail/sendmail-milter-spf-1.41.pl smmsp
>
> It coughed up the message: Failed to set timeout value!
>
> Questions:
>
> 1) Why the message?

I have heard this before. It seems there are platforms on which the
Sendmail::Milter::settimeout call simply returns an undefined value (perhaps
because the timeout cannot be be set properly on those platforms?).

> How to fix?

The Sendmail::Milter::settimeout call can simply be removed in thos cases.
The idea was to set the timeout to a large number, so that spf-milter
default timeout settings would not try and 'compete' with the more
fine-grained sendmail.cf T timings. In the next release I will no longer
make a fail to this call a critical error (but instead just have it spit out
a warning message).
(Continue reading)

Permalink | Reply | 0 comments |
headers
Thomas Harold | 1 Jul 2004 04:55

Re: register.com and SPF advocacy

bulk72804 <at> drwren.com wrote:
> The last discussion of register.com I saw in the archives was in
> January.  I just had a similar experience trying to add SPF
> records for my domains.
> 
> I know I could move my DNS to zoneedit or something, but that
> seems like letting register.com off the hook.  Moving the domains
> to another registrar, as mentioned previously, would be a pain.
> 
> Register.com claims to manage 3 million, so this would seem to be
> a major advocacy issue for SPF supporters.  Not an issue to be
> ignored or lightly dismissed.  Convincing register.com not just
> to support TXT records, but to maybe even add a version of the
> SPF wizard that helps users update the records would be a huge
> boost to SPF adoption.
> 
> Make it easy, and they will come.
> 

Yeah, I was one of those people.

We moved our DNS services to DNSMadeEasy.com.

Good chance that we'll be moving our registar records as well.  I don't 
hold much hope that Register.com will catch a clue unless one of the big 
ISPs holds their feet to the fire.  (Our complaints probably never made 
it past the front line support people.)
Permalink | Reply | 2 comments |
headers
spf | 1 Jul 2004 05:16

RE: wizard.html problems (was: What does PASS really mean?)

> -----Original Message-----
> From: owner-spf-discuss <at> v2.listbox.com
> [mailto:owner-spf-discuss <at> v2.listbox.com]On Behalf Of Frank Ellermann
> Sent: Wednesday, June 30, 2004 7:54 PM
> To: spf-discuss <at> v2.listbox.com
> Subject: [spf-discuss] wizard.html problems (was: What does PASS really
> mean?)
>
>
> spf <at> kitterman.com wrote:
>
> > include: should only be used if the domain to be included
> > has actually published an SPF record.  Is it possible to
> > have the wizard check the include domain for an SPF record?
>
> Are you sure that the wizard generates an "include" at all ?

Yes, in response to the question, "Could mail from {example.com} originate
through
servers belonging to some other domain? If you send mail through your ISP's
servers, name the ISP here."

Scott Kitterman
Permalink | Reply | 12 comments |
headers
Meng Weng Wong | 1 Jul 2004 07:16
Picon

Re: register.com and SPF advocacy

On Wed, Jun 30, 2004 at 10:55:50PM -0400, Thomas Harold wrote:
| 
| Yeah, I was one of those people.
| 
| We moved our DNS services to DNSMadeEasy.com.
| 
| Good chance that we'll be moving our registar records as well.  I don't 
| hold much hope that Register.com will catch a clue unless one of the big 
| ISPs holds their feet to the fire.  (Our complaints probably never made 
| it past the front line support people.)

As a small business owner, I would request that anyone who
"votes with their feet" to please email customer support and
explain why you are switching to a competitor.  There is a
lot of noise in the system, and without this kind of
communication, it is difficult for businesses to know what
they're doing wrong.

After all, the decision not to renew a contract represents
only one bit of information; increasing the verbosity of
that operation improves the information content of your
action.

Enough of this sort of feedback and smart businesses will
respond.

Unfortunately, simple requests are often not sufficient,
because whenever your customer count goes above a certain
number, the kook contingent introduces enough noise that you
can't listen to everything.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Paul Howarth | 1 Jul 2004 15:06
Favicon

Re: Administrative Denial?

Hibbs, Phil wrote:
> A few weeks ago, a friend (here in the UK) had a problem sending email. They
> used to dial up through Freeserve, but then they got broadband. I set up
> their network so that the broadband was shared, and they could use the
> office ocmputer to browse the internet and send email without dialing up.
> Everything was fine until they got a bounce message with an 3-digit error
> code that I can't remember, but the text description was "Administrative
> Denial". I think the recipient email address was  <at> btinternet.com.

"Administrative Prohibition" perhaps?

http://kbase.pscs.co.uk/index_vp.php?id=213&c=1

Did you have mail set up for direct to MX mailing, or were you using the 
broadband provider's smarthost?

Paul.
Permalink | Reply | 0 comments |
headers
Graham Murray | 1 Jul 2004 15:07
Picon

Re: Administrative Denial?

"Hibbs, Phil" <phil.hibbs <at> capgemini.com> writes:

> I suspect that BT Internet were rejecting the email because the 'from' IP
> address didn't check out. Could this be SPF-related, and if so, can they set
> up an SPF record to get around it?

I do not think it is SPF related. I believe that BT Internet only
allow mail to be sent via their mailers if the From: (RFC2822) domain
is hosted by BT Internet (or maybe registered with them, I am not
sure).
Permalink | Reply | 0 comments |
headers
Chris Drake | 1 Jul 2004 15:17
Picon
Favicon

Re[2]: Clarification of %{p} macro & 4.6 Ptr validated domain resolution

Hi Gary,

GL> Inevitably, spammers are just going to move from no policy to "v=spf1 +all"

Try to remember that SPF is for sender authentication, NOT anti-spam.

We *want* spammers to do what you say, because then they're forced to
either be accountable for their actions (to their ISP), or to act
irresponsibly from blacklisted (RBL) domains.

Kind Regards,
Chris Drake
Permalink | Reply | 1 comment |

Gmane