Afternoon (o;
If any1 is interested...I have a spare used C3524-PWR-XL-EN switch with PoE and 2 * GBIC slots...
Possible to trade in PSP and PS2 (o;
cheers rick
Hi Maillist,
SPF is starting to become a topic at our company again - ^^ - and I'm now interested:
- who does not use SPF - who implemented SPF DNS entries - who uses SPF for matching - who fully uses SPF ^^ lolz
I'm just trying to get a general feeling again about what the community thinks about SPF.
Kind regards,
Daniel
Hi Daniel
We're using SPF DNS entries for our own domain and on demand the domains of our customers. We're checking SPF entries on our spamfilter and filtering ~and - entries
My 2cents: If SPF ist setup correctly, it makes sense for those who check it and doesn't hurt those who don't...
Regards,
Mike
-- Mike Kellenberger mike.kellenberger@escapenet.ch Escapenet - the Web Company Tel +41 52 235 0700 http://www.escapenet.ch http://www.escapenet.ch/ Skype mikek70atwork
________________________________
Von: swinog-bounces@lists.swinog.ch [mailto:swinog-bounces@lists.swinog.ch] Im Auftrag von Daniel.Blaser@lkw.li Gesendet: Mittwoch, 14. Februar 2007 15:35 An: swinog@swinog.ch Betreff: [swinog] to SPF or not to SPF
Hi Maillist,
SPF is starting to become a topic at our company again - ^^ - and I'm now interested:
- who does not use SPF - who implemented SPF DNS entries - who uses SPF for matching - who fully uses SPF ^^ lolz
I'm just trying to get a general feeling again about what the community thinks about SPF.
Kind regards,
Daniel
On Wed, Feb 14, 2007 at 03:35:03PM +0100, Daniel.Blaser@lkw.li wrote:
Hi Maillist,
SPF is starting to become a topic at our company again - ^^ - and I'm now interested:
- who does not use SPF
- who implemented SPF DNS entries
- who uses SPF for matching
- who fully uses SPF ^^ lolz
I'm just trying to get a general feeling again about what the community thinks about SPF.
We are not using it, will not use it and still think that SPF is fundamentially broken. Many valid SPF mails are actually SPAM and many SPF entries use wildcard entries turning it useless.
we're not using spf at all. i think there's every year a new discussion about it. check out the archive ;-)
-steven
________________________________
From: swinog-bounces@lists.swinog.ch [mailto:swinog-bounces@lists.swinog.ch] On Behalf Of Daniel.Blaser@lkw.li Sent: Wednesday, February 14, 2007 3:35 PM To: swinog@swinog.ch Subject: [swinog] to SPF or not to SPF
Hi Maillist,
SPF is starting to become a topic at our company again - ^^ - and I'm now interested:
- who does not use SPF - who implemented SPF DNS entries - who uses SPF for matching - who fully uses SPF ^^ lolz
I'm just trying to get a general feeling again about what the community thinks about SPF.
Kind regards,
Daniel
Daniel.Blaser@lkw.li wrote:
I'm just trying to get a general feeling again about what the community thinks about SPF.
Here's my view:
Use DomainKeys instead of SPF. DomainKeys serves the same purpose, but doesn't share the fundamental brokenness of SPF.
SPF should be avoided because it's fundamentally broken: If you publish an SPF record with a "-all" directive (if you don't have that, SPF doesn't allow to reject forgeries, which makes SPF pretty pointless IMO) and you send mail to an email account on my mailserver via a forwarder (RFC1123 requires internet hosts to support mail forwarding, and it's a relatively widely used feature) your mail will bounce if my mailserver checks SPF unless I whitelist every host which forwards mail for one of my users. But that isn't feasible because I can't expect my users to understand the brokenness of SPF and tell me about each forwarder someone is using.
Greetings, Norbert.
Bonjour,
Norbert Bollow wrote:
Use DomainKeys instead of SPF. DomainKeys serves the same purpose, but doesn't share the fundamental brokenness of SPF.
And why not using the existing authentication protocol on outgoing smtp server ? So the sender can use the smtp server of the provider of its email address from any network and SPF can work without any problem.
Did i forget anything ?
Best regards,
Hello Bernard
That would be a nice solution, but explain that to a user...
cheers rog
Bernard Dugas schrieb:
Bonjour,
Norbert Bollow wrote:
Use DomainKeys instead of SPF. DomainKeys serves the same purpose, but doesn't share the fundamental brokenness of SPF.
And why not using the existing authentication protocol on outgoing smtp server ? So the sender can use the smtp server of the provider of its email address from any network and SPF can work without any problem.
Did i forget anything ?
Best regards,
Roger Buchwalder wrote:
That would be a nice solution, but explain that to a user...
We did it, and that was fine as they are only 2 boxes to click on outlook/outlookexpress, and still easy enough on mozilla/thunderbird with more mature users :-)
All are very happy as they don't have to change their outgoing smtp when they move.
We were also afraid at the beginning, and it is now a commercial advantage.
Best regard,
And why not using the existing authentication protocol on outgoing smtp server ? So the sender can use the smtp server of the provider of its email address from any network and SPF can work without any problem.
How would this solve the forwarding problem?
And how are you going to teach everybody to stop doing something that has been working fine for years?
Just have a look at http://old.openspf.org/srspng.html
Yieks!
Adrian Ulrich wrote:
And why not using the existing authentication protocol on outgoing smtp server ? So the sender can use the smtp server of the provider of its email address from any network and SPF can work without any problem.
How would this solve the forwarding problem?
Sorry, i don't understand the forwarding problem...
And how are you going to teach everybody to stop doing something that has been working fine for years?
We have sent an email and had some more calls during 1st week afer email. But you can take the rythm you want to make people change, as the 2 systems can work together.
Best regards,
On Wednesday 14. February 2007 22:15, Bernard Dugas wrote:
Adrian Ulrich wrote:
And why not using the existing authentication protocol on outgoing smtp server ? So the sender can use the smtp server of the provider of its email address from any network and SPF can work without any problem.
How would this solve the forwarding problem?
Sorry, i don't understand the forwarding problem...
http://en.wikipedia.org/wiki/Sender_Policy_Framework
And how are you going to teach everybody to stop doing something that has been working fine for years?
SPF has two major problems:
1. Serious design flaws (such as the forwarding problem).
2. Peopele who don't understand SPF. If the not-understandig is a mailserver admin it gets fatal (and lots of them are).
Both leads to legitimate rejected mail (And not just "some" false positives, sometimes complete domains get locked out by mailservers).
So consider....
* Think twice before publishing SPF Records for your Domains. There are admins in the wild who treat "neutral" as "hard fail".
* I use SPF to reject mails with spoofed origings from my private mailserver. The number of rejected mails because of failed SPF checks is less than one percent of all REJECTED email. If I wouldn't be doing it for studies about mail, SPAM and means against it I'd completely let it be. It's not worth the effort to support a standard which is broken by design and so rarely used.
Michi
Hi,
- Serious design flaws (such as the forwarding problem).
SPF is there to prevent mail with your sender envelope address to be relayed/forwarded by mailservers that are not meant to use your address. When you forward a mail in your MUA, you don't use the original sender in the From: header, do you? When a mailserver is relaying mail it is supposed to use its own sender envelope address. One possibility for that is SRS.
- Peopele who don't understand SPF. If the not-understandig is a
mailserver admin it gets fatal (and lots of them are).
Both leads to legitimate rejected mail (And not just "some" false positives, sometimes complete domains get locked out by mailservers).
So consider....
That is a problem which in not restricted to SPF. If a mailadmin doesn't know how to use an RBL and blocks everything, then he can't be helped.
- Think twice before publishing SPF Records for your Domains.
There are admins in the wild who treat "neutral" as "hard fail".
I haven't had the chance to be in this situation yet.
- I use SPF to reject mails with spoofed origings from my private
mailserver. The number of rejected mails because of failed SPF checks is less than one percent of all REJECTED email. If I wouldn't be doing it for studies about mail, SPAM and means against it I'd completely let it be. It's not worth the effort to support a standard which is broken by design and so rarely used.
If you consider SPF to be the solution against all kinds of SPAMs then you will indeed be disapointed. SPF is meant to prevent the abuse of your domain as mail envelope from address. There are still worms out there that use harvested e-mail addresses as sender. And when the people receiving this kind of spam come back to you, you can at least tell them: hey, we published spf records to show you which IPs are allowed to send mail with this envelope address. if you don't check it and accept the obvious forgery, then it's your problem.
Regards,
Jean-Pierre
Jean-Pierre Schwickerath wrote:
If you consider SPF to be the solution against all kinds of SPAMs then you will indeed be disapointed. SPF is meant to prevent the abuse of your domain as mail envelope from address. There are still worms out there that use harvested e-mail addresses as sender. And when the people receiving this kind of spam come back to you, you can at least tell them: hey, we published spf records to show you which IPs are allowed to send mail with this envelope address. if you don't check it and accept the obvious forgery, then it's your problem.
And in complement to that, if we give to our customers some outgoing smtp servers with authentification they can use from any hotel/wifi in the world, there is no more reason that any email with your domain-names are sent from other smtp servers than ours, published with SPF in DNS.
And the customer is happy because he doesn't have to change smtp server each time he travels :-)
Best regards,
Well, you'd think that would be true, but I travel frequently, and there are actually hotels that have outsourced their guest IP service to clueless operators that block outgoing traffic to port 25, and insist that one use their own SMTP server (about which they fail to tell you until you get one of their support people to answer the phone).
So I would suggest offering SMTP (AUTH) support on ports 25 and 26, just to be sure. fastmail.fm do this -- it's a real lifesaver. But fastmail alow and encourage their clients to send via their SMTP from any domain, which discourages the use of SPF in any meaningful way.
SMTP-After-Pop is pointless -- it is broken in Outlook up to 2003.
Charles
-----Original Message----- From: Bernard Dugas [mailto:bernard.dugas@is-production.com] Sent: Friday, February 16, 2007 8:47 AM To: swinog@swinog.ch Subject: Re: [swinog] to SPF or not to SPF
And in complement to that, if we give to our customers some outgoing smtp servers with authentification they can use from any hotel/wifi in the world, there is no more reason that any email with your domain-names are sent from other smtp servers than ours, published with SPF in DNS.
And the customer is happy because he doesn't have to change smtp server each time he travels :-)
So I would suggest offering SMTP (AUTH) support on ports 25 and 26, just to be sure.
No no no.
RFC: 2476:
| 3. Message Submission | 3.1. Submission Identification | | Port 587 is reserved for email message submission as specified in | this document. Messages received on this port are defined to be | submissions. The protocol used is ESMTP [SMTP-MTA, ESMTP], with | additional restrictions as specified here. | | While most email clients and servers can be configured to use port | 587 instead of 25, there are cases where this is not possible or | convenient. A site MAY choose to use port 25 for message submission, | by designating some hosts to be MSAs and others to be MTAs.
Port 587 has been widely deployed:
$ telnet smtpauth.bluewin.ch 587 $ telnet mail.gmx.net 587 $ telnet smtp.gmail.com 587
Inventing new ports < 1024 is just plain wrong.
Adrian,
Aren't you making an error in reflection (Überlegungsfehler)?
If the provider on which one is guesting has a policy to block outbound access from their network to all ports used for sending of mail, so that they can force one through their SMTP server for sake of control, micromanagement, or whatever, then (assuming they know about it), would they not then block official port 587 as well as port 25? That was the position I heard the 'customer service rep' take the last time I tried to solve such a problem through appeal to bureaucratic sensibility.
Of course non-standard allocation of a system port has its drawbacks, and one has to be aware that a new 'official' use might come along *and* be so wildly popular that the port might have to be freed for the official purpose. But that doesn't happen often. There are times when throwing rules at a problem doesn't add value.
If the problem one is to solve is to add value for one's customers in spite of a sandbagging bureaucracy who are never held responsible for their actions, there may be no other way. At least that is the thinking of fastmail, who have done what I recommended for years. I only recommended following their example as it has been going on for so long as to be come a 'standard' non-standard. Microsoft have proceeded similarly on many occasions, and have almost always gotten away with it.
Charles
-----Original Message----- From: Adrian Ulrich [mailto:swinog@blinkenlights.ch] Sent: Sunday, February 18, 2007 9:58 AM To: swinog@swinog.ch Subject: Re: [swinog] to SPF or not to SPF
So I would suggest offering SMTP (AUTH) support on ports 25 and 26, just
to
be sure.
No no no.
RFC: 2476:
| 3. Message Submission | 3.1. Submission Identification | | Port 587 is reserved for email message submission as specified in | this document. Messages received on this port are defined to be | submissions. The protocol used is ESMTP [SMTP-MTA, ESMTP], with | additional restrictions as specified here. | | While most email clients and servers can be configured to use port | 587 instead of 25, there are cases where this is not possible or | convenient. A site MAY choose to use port 25 for message submission, | by designating some hosts to be MSAs and others to be MTAs.
Port 587 has been widely deployed:
$ telnet smtpauth.bluewin.ch 587 $ telnet mail.gmx.net 587 $ telnet smtp.gmail.com 587
Inventing new ports < 1024 is just plain wrong.
If the provider on which one is guesting has a policy to block outbound access from their network to all ports used for sending of mail, so that they can force one through their SMTP server for sake of control, micromanagement, or whatever, then (assuming they know about it), would they not then block official port 587 as well as port 25? That was the position I heard the 'customer service rep' take the last time I tried to solve such a problem through appeal to bureaucratic sensibility.
What I'm going to say is not new, but I guess we have a lot of trouble with SMTP because the same port is used as well for the communication between 2 MTAs as for between a MUA and a MTA. I don't know about any provider that doesn't require smtp auth on port 587. ISPs should block outgoing connections to port 25 unless they know the source is a SMTP MTA. I guess this would mitigate a lot of zombies as it would force them to use the provider's smtp server (which does outbound spam/virus filtering and ISPs can easily identify their own customers). Alternatively the zombie would use a remote port 587 but it would require authentication so again the identification of the "owned" machine / user would be possible.
Jean-Pierre
would they not then block official port 587 as well as port 25? That was the position I heard the 'customer service rep' take the last time I tried to solve such a problem through appeal to bureaucratic sensibility.
There isn't really a (valid) reason to block port 587:
Blocking outgoing connections to port 25 may be done in order to block some zombie-networks (but IMO this is just silly.. will they also block port 80 soon to stop this blog-spamming? .. anyway ..)
..but you cannot spam using port 587 (unless you've been hijacking a valid account):
An smtpd running on port 587 must not accept mails from unauthenticated clients for any recipients:
Connected to smtpauth.bluewin.ch. 220 tr12.bluewin.ch ESMTP Service (Bluewin 7.3.121) ready helo bla 250 tr12.bluewin.ch mail from:<> 530 authentication required for mail submission
..only MUA/MSAs are supposed to use port 587.
Regards, Adrian
(Did anyone ever see/know an ISP blocking 587 ?)
Hi,
Jean-Pierre Schwickerath wrote:
If you consider SPF to be the solution against all kinds of SPAMs then you will indeed be disapointed. SPF is meant to prevent the abuse of your domain as mail envelope from address. There are still worms out there that use harvested e-mail addresses as sender. And when the people receiving this kind of spam come back to you, you can at least tell them: hey, we published spf records to show you which IPs are allowed to send mail with this envelope address. if you don't check it and accept the obvious forgery, then it's your problem.
And in complement to that, if we give to our customers some outgoing smtp servers with authentification they can use from any hotel/wifi in the world, there is no more reason that any email with your domain-names are sent from other smtp servers than ours, published with SPF in DNS.
And the customer is happy because he doesn't have to change smtp server each time he travels :-)
Best regards,
On Fri, Feb 16, 2007 at 08:31:15AM +0100, Jean-Pierre Schwickerath wrote:
Hi,
- Serious design flaws (such as the forwarding problem).
SPF is there to prevent mail with your sender envelope address to be relayed/forwarded by mailservers that are not meant to use your address. When you forward a mail in your MUA, you don't use the original sender in the From: header, do you? When a mailserver is relaying mail it is supposed to use its own sender envelope address. One possibility for that is SRS.
All mailing list forward mail with the original sender in the enveloppe and if you forward your mail on one server to another one with e.g. a simple .forward rule it will also re-use the same envelope from address. Forwarding mail is very common and it is important to use the same envelope form address in the forwarding path. Everybody who denies this fact does not understand the email system and the way bounces work.
All mailing list forward mail with the original sender in the enveloppe
Not true: Mails from the swinog-mailinglist reach my mailserver with swinog-bounces@lists.swinog.ch as sender envelope address
and if you forward your mail on one server to another one with e.g. a simple .forward rule it will also re-use the same envelope from address. Forwarding mail is very common and it is important to use the same envelope form address in the forwarding path. Everybody who denies this fact does not understand the email system and the way bounces work.
If you chose to forward mail this way, then you'd better make sure that the destination mail server doesn't apply spf checks for mails coming from the relaying server. or that the forwarding server rewrites the sender address.
If you're a provider that allows its users to forward their mail to remote addresses, then I'd advise you to use sender rewriting and thus offer your customers a reliable mail relaying. That's a marketing argument.
But in the end, everyone can do whatever they want to do ;-)
Jean-Pierre
On Fri, Feb 16, 2007 at 09:52:12AM +0100, Jean-Pierre Schwickerath wrote:
All mailing list forward mail with the original sender in the enveloppe
Not true: Mails from the swinog-mailinglist reach my mailserver with swinog-bounces@lists.swinog.ch as sender envelope address
Jup, my bad that's true most use some sort of VERPs. Unless it is a simple distribution list.
and if you forward your mail on one server to another one with e.g. a simple .forward rule it will also re-use the same envelope from address. Forwarding mail is very common and it is important to use the same envelope form address in the forwarding path. Everybody who denies this fact does not understand the email system and the way bounces work.
If you chose to forward mail this way, then you'd better make sure that the destination mail server doesn't apply spf checks for mails coming from the relaying server. or that the forwarding server rewrites the sender address.
If you're a provider that allows its users to forward their mail to remote addresses, then I'd advise you to use sender rewriting and thus offer your customers a reliable mail relaying. That's a marketing argument.
Woohoo. Breaking something and then requiring others to fix it for you and labeling something that is less reliable as "reliable". Let's see, I think that's summing it up perfectly: http://www.idrewthis.org/d/20060619.html
But in the end, everyone can do whatever they want to do ;-)
No they can't because of self-appointed Anti-SPAM marshals breaking deliberatly official standards causing marjor pain to others.
Hi Swinoger,
Thanks for the discussion so far. My original intend to do a post asking about SPF was to get a general feeling about what the community thinks. It seems to me, that there is still a lot of mistrust considering the efficency around. To be honest I was really surprised reading comments sounding like "does not solve spam problem", "watch out postmasters implementing it wrong" and so on. Come on guys. I'm certainly not the one implementing it and then fully discarding mails by the means of SPF. When I wrote my origial post there was a customer getting many bounces because of his domain being used to forge. Sure, SPF does not prevent the misuse of my customer's domain, but it helps in by other means. Aren't AOL, GMX, Yahoo, Web.de and other freemailers checking for it and giving their Webmail user a hint, when the mail was sent over a mailserver other than stated via SPF entry? Imho, preety useful for banks fighting phishing mails.
Ah before I forget: just because it is not the "EierlegendeWollMilchSau", don't tell it's broken.
Kind regards from the Fürstentum ...,
Daniel ... and not from the Fürst! (Who gets it?) ;F
Nowadays, every sicko can buy a .com domain for 9$ or even less. Spammers buy domains, put correct SPF records in their zonefiles and throw the domain away afterwards... (just like you did with hotmail accounts a few years back :-))
So IMHO DNS based spam fighting doesn't work. At least not the SPF way...
Cheers, Viktor
Bernard Dugas wrote:
Bonjour,
Norbert Bollow wrote:
Use DomainKeys instead of SPF. DomainKeys serves the same purpose, but doesn't share the fundamental brokenness of SPF.
And why not using the existing authentication protocol on outgoing smtp server ? So the sender can use the smtp server of the provider of its email address from any network and SPF can work without any problem.
Did i forget anything ?
Best regards,
Viktor Steinmann wrote:
Nowadays, every sicko can buy a .com domain for 9$ or even less. Spammers buy domains, put correct SPF records in their zonefiles and throw the domain away afterwards... (just like you did with hotmail accounts a few years back :-))
Sure, but at least, I know that no spamming is coming from my users and my outgoing smtp : small satisfaction for a small network :-)
But i can imagine large networks will not even care about that...
Best regards,
--- Bernard Dugas bernard.dugas@is-production.com wrote:
Sure, but at least, I know that no spamming is coming from my users and my outgoing smtp : small satisfaction for a small network :-)
what we did for a cable access network, is http://policyd.sourceforge.net/ configured for rate control. If a sender from a local dynamic IP pool sends more than 1000 emails in 15 minutes, its IP is automatically blocked for 24 hours, and the admins get a notifications. The admins were spending hours per week clearing the mailqueue and fighting the spambots, now they are no longer bothered.
In addition, the same policy daemon does greylisting on incoming email, and filters lots of incoming spam.
That's a great tool, but its internal design is a bit weak. I would gladly re-implement it if somebody would pay my time :)
Am 14.02.2007 um 21:59 schrieb Viktor Steinmann:
Nowadays, every sicko can buy a .com domain for 9$ or even less. Spammers buy domains, put correct SPF records in their zonefiles and throw the domain away afterwards... (just like you did with hotmail accounts a few years back :-))
So IMHO DNS based spam fighting doesn't work. At least not the SPF way...
that's not strictly true. I'm considering SPF because of all the postmaster-bound back-scatter from stupid penny-stock Spammers that abuse one of my domains.
Cheers, -daniel
-
Adrian Ulrich -
Bernard Dugas -
Charles Buckley -
Claudio Jeker -
Daniel G. Kluge -
Daniel.Blaser@lkw.li -
Jean-Pierre Schwickerath -
Michael Naef -
Mike Kellenberger -
Norbert Bollow -
Richard Klingler -
Roger Buchwalder -
Stanislav Sinyagin -
Steven.Glogger@swisscom.com -
Viktor Steinmann