VGER does gradual SPF activation (FAQ matter)

VGER does gradual SPF activation (FAQ matter)

[Matti Aarnio]

Now that there is even an RFC published about SPF...


What is SPF ?

It is one way to to ensure that at SMTP transport level the claimed
message source domain is valid, and message is coming from place
where origination domain's administrator has declared that are valid
source servers for emails claiming to be of that domain.


It does NOT verify that SMTP origination local part is true. 

It does NOT verify message visible headers.

Several people have written MTA configurations that test arriving email
visible "From:" (and sometimes "Sent:") header against SPF data and
actually violate SPF specification doing that!
(We have routinely kicked subscribers with that bug from lists..)


What it gives ?

It gives us a way to tell the world, that emails claiming to be
coming from VGER should be accepted only when they really are
coming from vger. (Complications like recipients incoming MX
relays are not _our_ problem..)

We might get slight reduction of back falling junk at vger with
that - reduction increases when people begin to deploy the SPF
verification more and more widely into their receiving email servers.
(And do it correctly...)



Will VGER begin to verify SPF in incoming email ?

Yes, sometime this summer.



What will break ?

You really should go and read SPF documents and guides and FAQs at:
    http://spf.pobox.com/

Very little will break, but one should really consider converting
their email sending methodology to one, which uses fewest possible
number of servers, publish that data in DNS, and always send all
emails thru those servers.

In longer run the amount of irresponsible (incurable) network security
holes (known as Windows) shows no sign of becoming extinct at adsl -lines,
so there will be increased pressure to demand sender identification
(and verification) during email sending - viruses can't do that yet...
And when they learn, user with infection can be trivially identified
and contacted/blocked.  At the same time I do find it most likely that
ADSL-lines (and modems) will no longer be allowed to send _anywhere_
over plain SMTP.

In order to be able to send email, a "SUBMISSION" protocol does exist,
and is relatively easy to get working with for example the Thunderbird.
Better would be having a button "use submission service" in its account
setup..   (And similar in Outlook/O.Express...)


/Matti Aarnio -- one of  postmaster at vger.kernel.org

Re: VGER does gradual SPF activation (FAQ matter)

[David Woodhouse]

On Sun, 2006-06-11 at 01:27 +0300, Matti Aarnio wrote:
> Now that there is even an RFC published about SPF...

Please, don't do this. SPF makes assumptions about email which are just
not true; it rejects perfectly valid mail.

http://david.woodhou.se/why-not-spf.html

-- 
dwmw2

Re: VGER does gradual SPF activation (FAQ matter)

[Rik van Riel]

On Sun, 11 Jun 2006, David Woodhouse wrote:
> On Sun, 2006-06-11 at 01:27 +0300, Matti Aarnio wrote:
> > Now that there is even an RFC published about SPF...
> 
> Please, don't do this. SPF makes assumptions about email which are just
> not true; it rejects perfectly valid mail.
> 
> http://david.woodhou.se/why-not-spf.html

Think about it for a second.  Do you *really* want those
something@alumni.mit.edu people on lkml? :)

*runs*

-- 
All Rights Reversed

Re: VGER does gradual SPF activation (FAQ matter)

[David Woodhouse]

On Sat, 2006-06-10 at 20:16 -0400, Rik van Riel wrote:
> Think about it for a second.  Do you *really* want those
> something@alumni.mit.edu people on lkml? :) 

I'd rather not exclude them by making ill-conceived, unilateral and
incompatible changes to the way that SMTP email works.

-- 
dwmw2

Re: VGER does gradual SPF activation (FAQ matter)

[marty fouts]

On 6/10/06, David Woodhouse <dwmw2@infradead.org> wrote:
> On Sun, 2006-06-11 at 01:27 +0300, Matti Aarnio wrote:
> > Now that there is even an RFC published about SPF...
>
> Please, don't do this. SPF makes assumptions about email which are just
> not true; it rejects perfectly valid mail.
>
> http://david.woodhou.se/why-not-spf.html
>
> --
> dwmw2

I agree.

Further, while there is an RFC for SPF, it is an RFC for an
experimental protocol. In addition to what David points out in his web
site, SPF is controversial, and is in competition with other
approaches.  (See RFC 4408.)

It's not widely deployed. It doesn't work. It'll break standard-abiding email.

Do you really want that?

Re: VGER does gradual SPF activation (FAQ matter)

[jdow]

From: "marty fouts" <mf.danger@gmail.com>

> On 6/10/06, David Woodhouse <dwmw2@infradead.org> wrote:
>> On Sun, 2006-06-11 at 01:27 +0300, Matti Aarnio wrote:
>> > Now that there is even an RFC published about SPF...
>>
>> Please, don't do this. SPF makes assumptions about email which are just
>> not true; it rejects perfectly valid mail.
>>
>> http://david.woodhou.se/why-not-spf.html
>>
>> --
>> dwmw2
> 
> I agree.
> 
> Further, while there is an RFC for SPF, it is an RFC for an
> experimental protocol. In addition to what David points out in his web
> site, SPF is controversial, and is in competition with other
> approaches.  (See RFC 4408.)
> 
> It's not widely deployed. It doesn't work. It'll break standard-abiding email.
> 
> Do you really want that?

Rather than inject emotions let's play a little bit with facts. This is
excerpts from a SpamAssassin report for about 82000 emails.

TOP SPAM RULES FIRED
------------------------------------------------------------
RANK    RULE NAME              COUNT %OFRULES %OFMAIL %OFSPAM  %OFHAM
------------------------------------------------------------
  49    SPF_SOFTFAIL           1804     0.42    2.20    8.31    0.01
  72    SPF_HELO_PASS          1112     0.26    1.36    5.13   47.45
  78    SPF_PASS                994     0.23    1.21    4.58   45.53
  92    SPF_HELO_SOFTFAIL       772     0.18    0.94    3.56    0.03
 113    SPF_FAIL                589     0.14    0.72    2.71    0.00
 177    SPF_HELO_FAIL           352     0.08    0.43    1.62    0.00

Stated from the opposite view

TOP HAM RULES FIRED
------------------------------------------------------------
RANK    RULE NAME              COUNT %OFRULES %OFMAIL %OFSPAM  %OFHAM
------------------------------------------------------------
   5    SPF_HELO_PASS          28563     7.20   34.88    5.13   47.45
   6    SPF_PASS               27409     6.90   33.47    4.58   45.53

And so forth.

People here should be smart enough to draw their own conclusions from
raw data.

IMAO, on the whole SPF is not a tool sufficiently good to use as a tool
for rejecting email in and of itself. It is good as a part of a full
anti-spam suite in a half hearted manner. A pass MAY be worthy of a
small negative score for a tool like SpamAssassin. A fail of any kind
is not worth much more than ignoring the fact that it happened. It is
most useful in conjunction with other rejection tools that are based
on identity - typically IP block lists.

As it turns out it has proven quite simple for spammers to get around
with DNS cache poisoning and other techniques. One such trick is a
false DNS record that has an spf record allowing access to the entire
IP world.

Using SPF exclusively is as silly a mugg's game as relying 100% on
the likes of SORBS.

{^_^}   Joanne Dow said that.

RE: VGER does gradual SPF activation (FAQ matter)

[David Schwartz]

> Rather than inject emotions let's play a little bit with facts. This is
> excerpts from a SpamAssassin report for about 82000 emails.
>
> TOP SPAM RULES FIRED
> ------------------------------------------------------------
> RANK    RULE NAME              COUNT %OFRULES %OFMAIL %OFSPAM  %OFHAM
> ------------------------------------------------------------
>   49    SPF_SOFTFAIL           1804     0.42    2.20    8.31    0.01
>   72    SPF_HELO_PASS          1112     0.26    1.36    5.13   47.45
>   78    SPF_PASS                994     0.23    1.21    4.58   45.53
>   92    SPF_HELO_SOFTFAIL       772     0.18    0.94    3.56    0.03
>  113    SPF_FAIL                589     0.14    0.72    2.71    0.00
>  177    SPF_HELO_FAIL           352     0.08    0.43    1.62    0.00
>
> Stated from the opposite view
>
> TOP HAM RULES FIRED
> ------------------------------------------------------------
> RANK    RULE NAME              COUNT %OFRULES %OFMAIL %OFSPAM  %OFHAM
> ------------------------------------------------------------
>    5    SPF_HELO_PASS          28563     7.20   34.88    5.13   47.45
>    6    SPF_PASS               27409     6.90   33.47    4.58   45.53
>
> And so forth.
>
> People here should be smart enough to draw their own conclusions from
> raw data.

	Yeah, that you measured the wrong thing. SPF does not distinguish spam from
non-spam.

	What percentage of emails with forged sender addresses passed an SPF check?
What percentage of emails with forged sender addresses failed an SPF check?
What percentage of emails that correctly identified their senders passed an
SPF check? What percentage of emails that correctly identified their senders
failed an SPF check?

	SPF is an anti-forgery tool. It helps to prevent joe-jobs and false claims
of being the victim of a joe-job.

	DS

Re: VGER does gradual SPF activation (FAQ matter)

[Neil Brown]

On Sunday June 11, dwmw2@infradead.org wrote:
> On Sun, 2006-06-11 at 01:27 +0300, Matti Aarnio wrote:
> > Now that there is even an RFC published about SPF...
> 
> Please, don't do this. SPF makes assumptions about email which are just
> not true; it rejects perfectly valid mail.
> 
> http://david.woodhou.se/why-not-spf.html

Conversely, please do do this :-)

I agree with David that SPF breaks mail-as-we-know-it, but I cannot
help thinking that mail-as-we-know-it is way too permissive and bits
of it need to be broken (the old egg/omelette analogy).

And I think that kernel.org is a great place to start with pushing
SPF, because if a few mail items go astray to-or-from it really isn't
the end of the world.

- kernel.org should publish very strict SPF records that sites with
  any gumption can reject forged mail claiming to be from kernel.org.
  If systems drop mail incorrectly because of this, the end-recipient
  can follow linux-kernel any number of other ways, and can badger
  their local admins to "get it right".

- kernel.org should reject mail that earns an SPF 'fail' and should
  grey-list mail that earns an SPF 'softfail' (so the sending system
  will have to retry once). Any mail that incorrectly gets rejected
  will hopefully have a link to a web page that explains the problem
  and lists a number of free-mail sites where anyone can sign up and
  safely send mail to kernel.org.  So people who need to get mail
  through still can, while they complain to their admins about
  configuring things properly.

I think kernel.org is a great site to be an early adopter because:
  - the mail it transports isn't critical
  - it interacts with a very large number of mail sites
  - it's customers are reasonably technology-savvy. 

sourceforge would be another good site.


(No, SPF doesn't stop spam, but it can increase accountability so that
white/black lists can begin to be more usable).

NeilBrown

Re: VGER does gradual SPF activation (FAQ matter)

[jdow]

From: "David Schwartz" <davids@webmaster.com>

>> Rather than inject emotions let's play a little bit with facts. This is
>> excerpts from a SpamAssassin report for about 82000 emails.
>>
>> TOP SPAM RULES FIRED
>> ------------------------------------------------------------
>> RANK    RULE NAME              COUNT %OFRULES %OFMAIL %OFSPAM  %OFHAM
>> ------------------------------------------------------------
>>   49    SPF_SOFTFAIL           1804     0.42    2.20    8.31    0.01
>>   72    SPF_HELO_PASS          1112     0.26    1.36    5.13   47.45
>>   78    SPF_PASS                994     0.23    1.21    4.58   45.53
>>   92    SPF_HELO_SOFTFAIL       772     0.18    0.94    3.56    0.03
>>  113    SPF_FAIL                589     0.14    0.72    2.71    0.00
>>  177    SPF_HELO_FAIL           352     0.08    0.43    1.62    0.00
>>
>> Stated from the opposite view
>>
>> TOP HAM RULES FIRED
>> ------------------------------------------------------------
>> RANK    RULE NAME              COUNT %OFRULES %OFMAIL %OFSPAM  %OFHAM
>> ------------------------------------------------------------
>>    5    SPF_HELO_PASS          28563     7.20   34.88    5.13   47.45
>>    6    SPF_PASS               27409     6.90   33.47    4.58   45.53
>>
>> And so forth.
>>
>> People here should be smart enough to draw their own conclusions from
>> raw data.
> 
> Yeah, that you measured the wrong thing. SPF does not distinguish spam from
> non-spam.
> 
> What percentage of emails with forged sender addresses passed an SPF check?
> What percentage of emails with forged sender addresses failed an SPF check?
> What percentage of emails that correctly identified their senders passed an
> SPF check? What percentage of emails that correctly identified their senders
> failed an SPF check?
> 
> SPF is an anti-forgery tool. It helps to prevent joe-jobs and false claims
> of being the victim of a joe-job.

I'll add to my offlist reply - SPF can be forged, as I noted. And it
really does not matter at all if you have a good or bad SPF record. It
does not tell you whether or not a message is to be accepted or rejected,
has bountiful information content or is a troll, or anything else for
that matter. It simply says, "When I went and looked at the guy's claimed
mail source the spf record said he was who he said he was." Who vouches
for the spf record? It seems tautological for me to stand before you
ladies and gentlemen here and ingenuously proclaim that I am who I
proclaim I am because I have vouched for myself with an spf record
I created for myself. This is what spammers did for awhile. That has
dropped off because it didn't help them and didn't much hurt them
either.

This is a LONG AGO dead discussion on the SpamAssassin user's list.
Those arguing about this issue should dig through the old message
archives on the list.

It is probably a good thing for VGER to vouch for its own mailing.
It is not much of a good thing for VGER to do anything else about SPF.

{^_^}   Joanne Dow said that.

Re: VGER does gradual SPF activation (FAQ matter)

[jdow]

From: "Neil Brown" <neilb@suse.de>

> On Sunday June 11, dwmw2@infradead.org wrote:
>> On Sun, 2006-06-11 at 01:27 +0300, Matti Aarnio wrote:
>> > Now that there is even an RFC published about SPF...
>> 
>> Please, don't do this. SPF makes assumptions about email which are just
>> not true; it rejects perfectly valid mail.
>> 
>> http://david.woodhou.se/why-not-spf.html
> 
> Conversely, please do do this :-)
> 
> I agree with David that SPF breaks mail-as-we-know-it, but I cannot
> help thinking that mail-as-we-know-it is way too permissive and bits
> of it need to be broken (the old egg/omelette analogy).
> 
> And I think that kernel.org is a great place to start with pushing
> SPF, because if a few mail items go astray to-or-from it really isn't
> the end of the world.
> 
> - kernel.org should publish very strict SPF records that sites with
>  any gumption can reject forged mail claiming to be from kernel.org.
>  If systems drop mail incorrectly because of this, the end-recipient
>  can follow linux-kernel any number of other ways, and can badger
>  their local admins to "get it right".

Sir, I've been doing this for years already using primary source
information - the trackable message headers. So far forgeries are
not a problem. It becomes quite obvious when a message has forged
headers, obvious enough automated analysis works remarkably well.

> - kernel.org should reject mail that earns an SPF 'fail' and should
>  grey-list mail that earns an SPF 'softfail' (so the sending system
>  will have to retry once). Any mail that incorrectly gets rejected
>  will hopefully have a link to a web page that explains the problem
>  and lists a number of free-mail sites where anyone can sign up and
>  safely send mail to kernel.org.  So people who need to get mail
>  through still can, while they complain to their admins about
>  configuring things properly.

No sir. FAIL and SOFT_FAIL prove nothing. PASS proves remarkably
little. SPF is not a good criterion for much of anything.

> I think kernel.org is a great site to be an early adopter because:
>  - the mail it transports isn't critical
>  - it interacts with a very large number of mail sites
>  - it's customers are reasonably technology-savvy. 

It would be a good site to adopt it outgoing. But adopting it as an
incoming message filter is silly.

> sourceforge would be another good site.
> 
> 
> (No, SPF doesn't stop spam, but it can increase accountability so that
> white/black lists can begin to be more usable).

It does not even do that conclusively. Many of us wish it did. But if
a spammer can post his own spf records he can claim what he wants
about email sources. DNS cache poisoning attacks assure that this can
take place even for sites you might control.

{^_^}   Joanne Dow said that. Seriously, I recommend a pass through the
        old SpamAssassin users mailing list for past discussions. An
        SPF_HELO_SOFTFAIL is the only thing given a sizeable score.

Re: VGER does gradual SPF activation (FAQ matter)

[Willy Tarreau]

Hi,

On Sat, Jun 10, 2006 at 10:26:19PM -0700, jdow wrote:
 
> No sir. FAIL and SOFT_FAIL prove nothing. PASS proves remarkably
> little. SPF is not a good criterion for much of anything.
> 
> >I think kernel.org is a great site to be an early adopter because:
> > - the mail it transports isn't critical
> > - it interacts with a very large number of mail sites
> > - it's customers are reasonably technology-savvy. 
> 
> It would be a good site to adopt it outgoing. But adopting it as an
> incoming message filter is silly.

So by your definition, this method is useful only on outgoing emails
but never on incoming ones. I fail to see how it might be useful
outgoing if nobody checks incoming emails...

> >(No, SPF doesn't stop spam, but it can increase accountability so that
> >white/black lists can begin to be more usable).
> 
> It does not even do that conclusively. Many of us wish it did. But if
> a spammer can post his own spf records he can claim what he wants
> about email sources. DNS cache poisoning attacks assure that this can
> take place even for sites you might control.

I think that *nobody* can tell whether the result will have positive
or negative effect. This list is populated by technical people who
will be able to participate to the test. A first approach would be
to add a header to the incoming emails telling how they have been
classified, so that people know if their config could lead them to
being blocked in the future. If, after a long test period, we notice
that it causes lots of false positives and that spams still don't
get detected, it may be time to give up on this method. Conversely,
if it turns out that only spam gets detected and that we have no
false positives, why not go one step further then ?

> {^_^}   Joanne Dow said that. Seriously, I recommend a pass through the
>        old SpamAssassin users mailing list for past discussions. An
>        SPF_HELO_SOFTFAIL is the only thing given a sizeable score.

Regards,
Willy

Re: VGER does gradual SPF activation (FAQ matter)

[Theodore Tso]

On Sat, Jun 10, 2006 at 08:16:24PM -0400, Rik van Riel wrote:
> On Sun, 11 Jun 2006, David Woodhouse wrote:
> > On Sun, 2006-06-11 at 01:27 +0300, Matti Aarnio wrote:
> > > Now that there is even an RFC published about SPF...
> > 
> > Please, don't do this. SPF makes assumptions about email which are just
> > not true; it rejects perfectly valid mail.
> > 
> > http://david.woodhou.se/why-not-spf.html
> 
> Think about it for a second.  Do you *really* want those
> something@alumni.mit.edu people on lkml? :)

Actually, I post as "tytso@mit.edu" (but always relayed through my
mail relay at thunk.org).  :-)

						- Ted

Re: VGER does gradual SPF activation (FAQ matter)

[Rik van Riel]

On Sun, 11 Jun 2006, Theodore Tso wrote:

> Actually, I post as "tytso@mit.edu" (but always relayed through my
> mail relay at thunk.org).  :-)

That will no longer work reliably if Matti enables SPF, 
since thunker.thunk.org is not in the mit.edu SPF record.
At least it's not a -all...

-- 
All Rights Reversed

Re: VGER does gradual SPF activation (FAQ matter)

[Avi Kivity]

Rik van Riel wrote:
>
> On Sun, 11 Jun 2006, Theodore Tso wrote:
>
> > Actually, I post as "tytso@mit.edu" (but always relayed through my
> > mail relay at thunk.org).  :-)
>
> That will no longer work reliably if Matti enables SPF,
> since thunker.thunk.org is not in the mit.edu SPF record.
> At least it's not a -all...
>

Can't it be corrected by having the thunk.org MTA relay messages from 
@mit.edu through the MIT MTA? Presumably the MIT MTA will only be open 
to authenticated users.

-- 
error compiling committee.c: too many arguments to function

Re: VGER does gradual SPF activation (FAQ matter)

[Folkert van Heusden]

Hmmm.
What about using spamhaus.org sbl+xbl list?
I used to receive 1200 spam messages a day, with spamhaus only half of
that.

On Sun, Jun 11, 2006 at 01:27:34AM +0300, Matti Aarnio wrote:
> Now that there is even an RFC published about SPF...
> 
> 
> What is SPF ?
> 
> It is one way to to ensure that at SMTP transport level the claimed
> message source domain is valid, and message is coming from place
> where origination domain's administrator has declared that are valid
> source servers for emails claiming to be of that domain.
> 
> 
> It does NOT verify that SMTP origination local part is true. 
> 
> It does NOT verify message visible headers.
> 
> Several people have written MTA configurations that test arriving email
> visible "From:" (and sometimes "Sent:") header against SPF data and
> actually violate SPF specification doing that!
> (We have routinely kicked subscribers with that bug from lists..)
> 
> 
> What it gives ?
> 
> It gives us a way to tell the world, that emails claiming to be
> coming from VGER should be accepted only when they really are
> coming from vger. (Complications like recipients incoming MX
> relays are not _our_ problem..)
> 
> We might get slight reduction of back falling junk at vger with
> that - reduction increases when people begin to deploy the SPF
> verification more and more widely into their receiving email servers.
> (And do it correctly...)
> 
> 
> 
> Will VGER begin to verify SPF in incoming email ?
> 
> Yes, sometime this summer.
> 
> 
> 
> What will break ?
> 
> You really should go and read SPF documents and guides and FAQs at:
>     http://spf.pobox.com/
> 
> Very little will break, but one should really consider converting
> their email sending methodology to one, which uses fewest possible
> number of servers, publish that data in DNS, and always send all
> emails thru those servers.
> 
> In longer run the amount of irresponsible (incurable) network security
> holes (known as Windows) shows no sign of becoming extinct at adsl -lines,
> so there will be increased pressure to demand sender identification
> (and verification) during email sending - viruses can't do that yet...
> And when they learn, user with infection can be trivially identified
> and contacted/blocked.  At the same time I do find it most likely that
> ADSL-lines (and modems) will no longer be allowed to send _anywhere_
> over plain SMTP.
> 
> In order to be able to send email, a "SUBMISSION" protocol does exist,
> and is relatively easy to get working with for example the Thunderbird.
> Better would be having a button "use submission service" in its account
> setup..   (And similar in Outlook/O.Express...)
> 
> 
> /Matti Aarnio -- one of  postmaster at vger.kernel.org
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/


Folkert van Heusden

-- 
Ever wonder what is out there? Any alien races? Then please support
the seti@home project: setiathome.ssl.berkeley.edu
----------------------------------------------------------------------
Phone: +31-6-41278122, PGP-key: 1F28D8AE, www.vanheusden.com

Re: VGER does gradual SPF activation (FAQ matter)

[Marc Perkel]

While I support your desire to get rid of spam, SPF doesn't work. It's 
hopelessly broken and it needs to die in favor of some real solution. 
I'm in the spam filtering business http://www.junkemailfilter.com and I 
tried hard to get anything useful out of this technology and it's just 
plain useless.

Re: VGER does gradual SPF activation (FAQ matter)

[Lee Revell]

On Sun, 2006-06-11 at 18:02 +0200, Folkert van Heusden wrote:
> Hmmm.
> What about using spamhaus.org sbl+xbl list?
> I used to receive 1200 spam messages a day, with spamhaus only half of
> that.

What about doing nothing?  The percentage of spam on LKML is vanishingly
small.

Lee

Re: VGER does gradual SPF activation (FAQ matter)

[Florian Weimer]

* Matti Aarnio:

> What will break ?
>
> You really should go and read SPF documents and guides and FAQs at:
>     http://spf.pobox.com/

The SPF specification is extremely loose, and it is hard to predict
for SPF record owners how their policy indications are interpreted.

For example, will you treat SoftFail, TempError and PermError as Fail?

Re: VGER does gradual SPF activation (FAQ matter)

[David Miller]

From: Lee Revell <rlrevell@joe-job.com>
Date: Sun, 11 Jun 2006 13:54:57 -0400

> On Sun, 2006-06-11 at 18:02 +0200, Folkert van Heusden wrote:
> > Hmmm.
> > What about using spamhaus.org sbl+xbl list?
> > I used to receive 1200 spam messages a day, with spamhaus only half of
> > that.
> 
> What about doing nothing?  The percentage of spam on LKML is vanishingly
> small.

We definitely need a better spam solution at vger, the reason is that
the current mechanism (ad-hoc by-hand regexp blocking) creates lots of
problems.  For one thing, it means that people with names in languages
other than english get blocked when their emails are quoted in
postings.  This is because we don't understand a lot of languages, so
we just regexp block multibyte characters typically assosciated with
that language in order to block spam written in that language.

That isn't acceptable in the long term.

To be honest I'm all for some kind of bayesian filter at vger as long
as the rejected postings go somewhere into a folder I can scan every
couple of days looking for false positives.

Re: VGER does gradual SPF activation (FAQ matter)

[Bernd Petrovitsch]

On Sat, 2006-06-10 at 22:17 -0700, jdow wrote:
[...]
> that matter. It simply says, "When I went and looked at the guy's claimed
> mail source the spf record said he was who he said he was." Who vouches

No. SPF simply defines legitimate outgoing MTAs for a given domain.
Within a domain, it is up to the postmaster to allow/disallow address
forgery and for the rest of a world (to tell where legitimate email of
his domain comes from), the postmaster defines SPF records.

	Bernd
-- 
Firmix Software GmbH                   http://www.firmix.at/
mobil: +43 664 4416156                 fax: +43 1 7890849-55
          Embedded Linux Development and Services

Re: VGER does gradual SPF activation (FAQ matter)

[jdow]

From: "Bernd Petrovitsch" <bernd@firmix.at>

> On Sat, 2006-06-10 at 22:17 -0700, jdow wrote:
> [...]
>> that matter. It simply says, "When I went and looked at the guy's claimed
>> mail source the spf record said he was who he said he was." Who vouches
> 
> No. SPF simply defines legitimate outgoing MTAs for a given domain.
> Within a domain, it is up to the postmaster to allow/disallow address
> forgery and for the rest of a world (to tell where legitimate email of
> his domain comes from), the postmaster defines SPF records.
> 
> Bernd

And just recently we received a spate of spam that came from a domain
that disappeared almost immediately. Domain names are cheap. They can
vouch for the spam run. Then what happens to them doesn't matter. But
the SPF record passes.

{^_-}   There Ain't No Such Thing As A Free Lunch.
        Too many people think SPF is a free lunch.

Re: VGER does gradual SPF activation (FAQ matter)

[Bernd Petrovitsch]

On Sat, 2006-06-10 at 19:24 -0700, marty fouts wrote:
[...]
> Further, while there is an RFC for SPF, it is an RFC for an
> experimental protocol. In addition to what David points out in his web
> site, SPF is controversial, and is in competition with other
> approaches.  (See RFC 4408.)

Not really: http://new.openspf.org/SPF_vs_Sender_ID

> It's not widely deployed.

However "widely deployed" is defined.
It is more widely deployed than any remotely similar proposed mechanism
(including and especially SenderId - which addresses actually another
problem).

> It doesn't work.

It works if it is used correctly (as any tool in the world).
The "problem" is that postmasters on the Net must do something (namely
1) define if they want to allow others to detect forged emails claimed
to come from their domain and 2) - if yes to 1) - to get appropriate SPF
records into DNS) and people must either use a "good" mail relay (and
not just the one next door) or convince postmasters to change the SPF
records.

> It'll break standard-abiding email.

As you see, standards change.

> Do you really want that?

Yes. Especially gmail.com should do such a thing - there is such a lot
of - presumbly forged - @gmail.com mails in my mailboxes that
blacklisting the whole domain causes probably more good than bad (for
me, of course).

	Bernd
-- 
Firmix Software GmbH                   http://www.firmix.at/
mobil: +43 664 4416156                 fax: +43 1 7890849-55
          Embedded Linux Development and Services

Re: VGER does gradual SPF activation (FAQ matter)

[Bernd Petrovitsch]

On Mon, 2006-06-12 at 01:23 -0700, jdow wrote:
[...]
> And just recently we received a spate of spam that came from a domain
> that disappeared almost immediately. Domain names are cheap. They can
> vouch for the spam run. Then what happens to them doesn't matter. But
> the SPF record passes.

Of course this is one way around it (and there are certainly others).
But it (may) save "my" domains from false complaints and bounced emails
just because some spammer sends email "From: xxx@mydomain".
Yes, SPF does not avoid spam in general (and BTW nobody on openspf.org
claims that).
And yes, we all want such a thing, but AFAICS there won't be such a
thing (except making email - at least - as expensive as snail mail).

	Bernd
-- 
Firmix Software GmbH                   http://www.firmix.at/
mobil: +43 664 4416156                 fax: +43 1 7890849-55
          Embedded Linux Development and Services

Re: VGER does gradual SPF activation (FAQ matter)

[Matti Aarnio]

Russel wrote to me privately, but I do think this will make sense
also for the whole discussion. 

On Sun, Jun 11, 2006 at 08:22:23AM +0100, Russell King wrote:
> On Sun, Jun 11, 2006 at 01:27:34AM +0300, Matti Aarnio wrote:
> > Very little will break, but one should really consider converting
> > their email sending methodology to one, which uses fewest possible
> > number of servers, publish that data in DNS, and always send all
> > emails thru those servers.
> 
> In which case I'm going to ask those who forward / redirect email
> via my systems or the zen clusters to stop doing so - as David
> says on his web page, SPF (sorry, Internet Mail version 2) prevents
> such things from working, and requires a step "upgrade" of the entire
> internet.

For a very long time (like 20 years or so) I used to think like that.

Doing email services in big ISP environments for about 10 years did
cure me of that thinking.  Ordinary Janes and Joes (and grannies
and granpas) must not be allowed to send email in similar ways that
we used to do in happy 1980es when the internet was engineer playground.

The Internet needs to be segregated into two kinds of users - those that
must not be allowed to do much of anything ( = common man to whom the
internet equals anyway to IE web-browser ) and to first-class citizens
with their own email servers...

Becoming such a first-class citizen should be fairly easy, but most
service providers don't yet sell anything else than that basic bulk
"common man" stuff.  THAT is serious disadvantage, but I do see emergence
of ISPs that do sell things for geeks also and do it without very steep
"business internet" price tag.


My thinking has always also been that "there is something rotten in
the .forward  processing"  -  but for traditional reasons I have not
altered email source addresses (e.g. what they call SRS in SPF
environment) when passing email thru user's  .forward  file.
Even SRS isn't perfect, but it is better than nothing.


With SMTP's EHLO mechanism introduction it has taken nearly 10 years
before it has become really widely used.   Most laggard of all were
not those ancient systems that were feared to be slowest adopting new
things - not at all..  Slowest were Microsoft and many firewall vendors
that want to poke inside the SMTP protocol and behave as "we know what
is safe"..



> > In longer run the amount of irresponsible (incurable) network security
> > holes (known as Windows) shows no sign of becoming extinct at adsl -lines,
> > so there will be increased pressure to demand sender identification
> > (and verification) during email sending - viruses can't do that yet...
> > And when they learn, user with infection can be trivially identified
> > and contacted/blocked.
> 
> Pie in the sky - it's already easy to identify viruses today.  Do the
> offenders get contacted and/or blocked by their ISPs today?  No.  So
> what makes you think that this wonderful SPF will make any difference?

There are some automated tools that can divert all traffic from 
detected (whatever criteria is used) Bad Host to a sandbox host giving
same web-page for all HTTP accesses (and blocking everything else).
They have proven to be quite efficient in some cases, but not always.

Enforcing (on "common man lines") also a policy of: Send nowhere with
SMTP, always send with AUTHENTICATED SUBMISSION will also allow users
to use their email provider's email servers for email sending independent
of where they are at any time, and from whom they have bought the network
connection - thus they can change access ISP:s easily and having email
address independent of their access - of course this is not according
to access provider isp's interests...

Email address is, after all, what people do want to stay unchanged, but
it is also being used as a tie-in to keep them bound to access network
ISP that provides the email service.

In spite of its many percieved faults,  SPF is one of many things that
will change the way of the internet universe.

A bit earlier mentioned "easy to poison DNS caches" is also something
that will become more and more difficult.  Lattest round of things with
DNS in Finland was that no server doing recursive resolving is permitted
to offer the service outside local customer networks.  Indeed I was
surprised that there is not yet a globally assigned "AnyCast" IPv4
address for Recursive DNS resolvers.  Resolving service would be available
from same few addresses where-ever you are. I leave practical implementation
details to the reader.  (It is not very complex, and can be done with
about any server existing today.  I made such a beasts with lattest Bind 9
on Linux, NetBSD, and Solaris.)

We had also "IP source address sanity enforcement" so that hijacked
(virus infested, whatever) PC can not send out IP datagrams with source
address other than its own (or the network that it belongs to, if no
individual verification is possible) 

Most of reasons behind the DNS securing excercise would have been totally
unnecessery with worlds biggest ISPs doing that source IP address sanity
filtering at their internal access edges.

SPF is application level version of this type of source sanity
enforcement, and all that I intend to do is to publish that TXT
entry for VGER.  Analyzing SPF data in incoming SMTP reception
is a thing that I leave for latter phase  (how much latter,
I can't say yet.)


> Sorry, you don't get my vote for any of this.
> -- 
> Russell King
>  Linux kernel    2.6 ARM Linux   - http://www.arm.linux.org.uk/
>  maintainer of:  2.6 Serial core

  /Matti Aarnio

Re: VGER does gradual SPF activation (FAQ matter)

[Russell King]

On Mon, Jun 12, 2006 at 11:32:39AM +0300, Matti Aarnio wrote:
> SPF is application level version of this type of source sanity
> enforcement, and all that I intend to do is to publish that TXT
> entry for VGER.  Analyzing SPF data in incoming SMTP reception
> is a thing that I leave for latter phase  (how much latter,
> I can't say yet.)

In which case I have no option but to ask - Zwane, please stop using
my systems to forward your lkml email - Matti's proposed change will
potentially break that setup.

Thanks.

-- 
Russell King
 Linux kernel    2.6 ARM Linux   - http://www.arm.linux.org.uk/
 maintainer of:  2.6 Serial core

Re: VGER does gradual SPF activation (FAQ matter)

[Matthias Andree]

On Sun, 11 Jun 2006, Avi Kivity wrote:

> Can't it be corrected by having the thunk.org MTA relay messages from 
> @mit.edu through the MIT MTA? Presumably the MIT MTA will only be open 
> to authenticated users.

That isn't "corrected", but "broken even further".

What difference does it to the authenticity of the message or perhaps
its envelope make who the postman is and into which mailbox the letter
is posted?

Use something sane please, not SPF.

All the world break their mailers at Wong's command because a half-baked
idea is raved about without thinking.

It's bad enough GMX are posting SPF records - I disabled SPF on my
inbound path, because GMX enable a per-recipient configuration of this
nonsense - I can't opt out of their posting SPF records though...

There's no need to repeat David's arguments counter to SPF for me.
David's document says it all.

-- 
Matthias Andree

Re: VGER does gradual SPF activation (FAQ matter)

[Matthias Andree]

On Sun, 11 Jun 2006, Matti Aarnio wrote:

> Now that there is even an RFC published about SPF...
> 
> 
> What is SPF ?
> 
> It is one way to to ensure that at SMTP transport level the claimed
> message source domain is valid, and message is coming from place
> where origination domain's administrator has declared that are valid
> source servers for emails claiming to be of that domain.

So the spammers declare valid sending sites (0.0.0.0/0 anyone) for their
botnet in a particular domain. The domain is registered via anonymizing
proxy and long gone by the time it appears in black lists. What did you
gain?

> It does NOT verify that SMTP origination local part is true. 

Good. But what's the cause for SPF then?

> It does NOT verify message visible headers.

SPF isn't meant to.

> What it gives ?
> 
> It gives us a way to tell the world, that emails claiming to be
> coming from VGER should be accepted only when they really are
> coming from vger.

No, it doesn't. It gives vger admins a way to tell the world what the
vger outgoing MXs are. vger is *NOT* in a position to set end site
policies, and shouldn't claim so.

> (Complications like recipients incoming MX
> relays are not _our_ problem..)

Right. Shift the blame on those over whom you claimed sovereignty over
their policies one breath before. Is that how SPF adoption policy works?
If so, I'd consider that a pretty dirty way of doing things and I'd
rather wash my hands clean of such policies if my name were Matti
Aarnio.

> We might get slight reduction of back falling junk at vger with
> that - reduction increases when people begin to deploy the SPF
> verification more and more widely into their receiving email servers.

I believe checking Received: headers of backscatter (that term is used
in Postfix discussions for "back falling junk") catches a fair amount of
that junk.

> Will VGER begin to verify SPF in incoming email ?
> 
> Yes, sometime this summer.

I suggest not.

> You really should go and read SPF documents and guides and FAQs at:
>     http://spf.pobox.com/
> 
> Very little will break,

Mail forwarding breaks, massively. The costly SRS workaround just adds
new problems without coming to a real solution.

Perhaps you might want to remove vger from doing mail altogether and
switch to Usenet news. Admins cancel obvious spam and that's it.

> In longer run the amount of irresponsible (incurable) network security
> holes (known as Windows)

So refuse mail from Windows sites. p0f can do it. PF (a packet filter
offered by some BSD systems) can do it.

> shows no sign of becoming extinct at adsl -lines,
> so there will be increased pressure to demand sender identification
> (and verification) during email sending - viruses can't do that yet...

So you think? Have you counted sites that have deployed DRAC and other
pop-before-smtp junk? Viruses can easily bypass those and get the
"verified" tag from SPF. How /very/ useful SPF is.

> And when they learn, user with infection can be trivially identified
> and contacted/blocked.

They could do that today if they so desired. They don't care, and they
won't care in the future.

> At the same time I do find it most likely that
> ADSL-lines (and modems) will no longer be allowed to send _anywhere_
> over plain SMTP.

So you'd reject my validly GnuPG signed messages just because I'm
sending from a BSD or Linux or Solaris ADSL? What a disruption of
service.

SPF is a non-starter.

Perhaps you should consider having filters look at the *content* of
messages. Does it fit how common messages look on vger lists? Or does it
look like the usual spam? bogofilter can to it. qsf can do it. spamprobe
can do it.  crm114 can do it.  Some of these (bogofilter for instance)
can ascertain how much it's spam, how much it's wanted, or if it's
undecided.

-- 
Matthias Andree

Re: VGER does gradual SPF activation (FAQ matter)

[Matthias Andree]

(Bcc'ing David Relson to protect his mail address from the usual vger
flamewars.)

On Sun, 11 Jun 2006, David Miller wrote:

> To be honest I'm all for some kind of bayesian filter at vger as long
> as the rejected postings go somewhere into a folder I can scan every
> couple of days looking for false positives.

I suggest to try out bogofilter and spamprobe. Either lets YOU decide
what to do with its finding if it's spam or ham. bogofilter or spamprobe
works together with some filter like procmail or maildrop and you code
what happens with message that is "Spam", "Ham" or "Unsure", and you can
even look at the numeric value from 0 (ham) to 1 (spam) and decide. The
default install suggests an "unsure" range that you can also manually
look at.

Spamprobe also works rather well for many, although I don't know much
about its details today, haven't followed it for many months.

-- 
Matthias Andree

Re: VGER does gradual SPF activation (FAQ matter)

[Neil Brown]

On Monday June 12, jdow@earthlink.net wrote:
> 
> And just recently we received a spate of spam that came from a domain
> that disappeared almost immediately. Domain names are cheap. They can
> vouch for the spam run. Then what happens to them doesn't matter. But
> the SPF record passes.
> 

So the obvious next step (Which I remember being discussed on the SPF
mailing list shortly before I had to unsubscribe) is to develop a
mechanism to measure the credibility of new domains.  No point doing
this until authenticity is fairly reliable, but once it is, that will
be the next logical step.

> {^_-}   There Ain't No Such Thing As A Free Lunch.
>         Too many people think SPF is a free lunch.

Can't argue with that - both points are very true.

NeilBrown

Re: VGER does gradual SPF activation (FAQ matter)

[Alan Cox]

Ar Llu, 2006-06-12 am 10:18 +0200, ysgrifennodd Bernd Petrovitsch:
> No. SPF simply defines legitimate outgoing MTAs for a given domain.

No it does not. If it did it would be almost a usable idea, but it fails
because the ISP generally controls the definition and the users are more
mobile so they want to send via other paths too. Going via the users
home box is often impractical because of firewalls and also ISP controls
like dynamic IP. It is a technical solution to the wrong problem because
it was designed by people some of whom are ignorant of the real world
and the other half of whom saw it as a differentiator and a further
profit potential.

Spammers *love* SPF because they can register 30 day knock down unpaid
domains and people score them as non spam.

ISPs *love* SPF because they can enforce policies that allow them to
charge even more to users who want to do anything interesting. The fact
many of them don't allow users to control their own domain SPF or get a
fixed SPF pointing at the ISP mailhost only is not entirely that they
haven't gotten around to fixing it either.

The people who suffer from SPF are unfortunately the users. The people
its alleged to stop like it. The people it is alleged to help run
filters get richer and the users get screwed.

For Vger it isn't too bad, it'll just break all the people relaying or
cc'ing vger mail to an ISP account, and probably those people Cc'ing it
to some HTML based list archiving sites. 

I find Matti's comments about "first-class citizens" distasteful. What
do you want Matti, a world where you have to be "<--- this --->" 'L33T
to post email ? Knowledge and responsibility are not the same thing, as
usenet Approved headers showed.

SPF *would* be wonderful if the users controlled SPF handling and
someone fixed the forwarding flaws in it, but neither is the case today.

Alan

Re: VGER does gradual SPF activation (FAQ matter)

[Neil Brown]

On Monday June 12, rmk+lkml@arm.linux.org.uk wrote:
> On Mon, Jun 12, 2006 at 11:32:39AM +0300, Matti Aarnio wrote:
> > SPF is application level version of this type of source sanity
> > enforcement, and all that I intend to do is to publish that TXT
> > entry for VGER.  Analyzing SPF data in incoming SMTP reception
> > is a thing that I leave for latter phase  (how much latter,
> > I can't say yet.)
> 
> In which case I have no option but to ask - Zwane, please stop using
> my systems to forward your lkml email - Matti's proposed change will
> potentially break that setup.

Of course you do have other options.

One is to take responsibility of the mail that you forward.  I don't
necessarily mean SRS - anything that makes the mail come from a domain
which claims your server as a valid sender will do.

Another option would be to arrange with the site that you are
forwarding mail to to trust you.

Exactly what option is best for you would depend a lot on the details
of your current setup - and Zwane's.

And certainly not forwarding mail for Zwane is an option.

But there *are* multiple options.

NeilBrown

Re: VGER does gradual SPF activation (FAQ matter)

[Bernd Petrovitsch]

On Mon, 2006-06-12 at 10:53 +0100, Alan Cox wrote:
> Ar Llu, 2006-06-12 am 10:18 +0200, ysgrifennodd Bernd Petrovitsch:
> > No. SPF simply defines legitimate outgoing MTAs for a given domain.
> 
> No it does not. If it did it would be almost a usable idea, but it fails
> because the ISP generally controls the definition and the users are more

ACK. The domain owner controls it. So if you are not happy with your
domain owner .....

[...]
> ISPs *love* SPF because they can enforce policies that allow them to
> charge even more to users who want to do anything interesting. The fact
> many of them don't allow users to control their own domain SPF or get a
> fixed SPF pointing at the ISP mailhost only is not entirely that they
> haven't gotten around to fixing it either.
> 
> The people who suffer from SPF are unfortunately the users. The people
> its alleged to stop like it. The people it is alleged to help run
> filters get richer and the users get screwed.
[....]
> SPF *would* be wonderful if the users controlled SPF handling and

Of course it would be much more useful (at least for the more
knowing/interested folks) if the user can specify "legitimate" email
(i.e. for the whole email address, not only th domain part).
This can be done since years with PGP-signatures but almost no one is
really using ist. And this requires understanding of PGP etc. - which is
unfortunately not the case for everyone.
So any simpler (but also reliable enough) scheme needs to be defined.

> someone fixed the forwarding flaws in it, but neither is the case today.

	Bernd
-- 
Firmix Software GmbH                   http://www.firmix.at/
mobil: +43 664 4416156                 fax: +43 1 7890849-55
          Embedded Linux Development and Services

Re: VGER does gradual SPF activation (FAQ matter)

[Neil Brown]

On Monday June 12, matthias.andree@gmx.de wrote:
> On Sun, 11 Jun 2006, Avi Kivity wrote:
> 
> > Can't it be corrected by having the thunk.org MTA relay messages from 
> > @mit.edu through the MIT MTA? Presumably the MIT MTA will only be open 
> > to authenticated users.
> 
> That isn't "corrected", but "broken even further".
> 
> What difference does it to the authenticity of the message or perhaps
> its envelope make who the postman is and into which mailbox the letter
> is posted?

"A bad analogy is like a leaky screw driver."

Your screwdriver is leaking!

If you get a letter from your aunt in Rome, and it is post-marked
'Moscow', you might doubt the authenticity.  If it claims to be from
your swiss bank with the same post mark you would doubt it even more.

I'm not saying that postmarks are a particularly good analogy,
but if I got had a knock on my door (SYN) and opened it (ACK /
SYN-ACK), and the person said
 Hi, I'm from the Thunk group (HELO thunk.org) and I have a letter
 from Ted at MIT (MAIL FROM: <tytso@mit.edu>) 
then I'm not sure I would believe them (well, I might, but my butler
shouldn't).

> 
> Use something sane please, not SPF.
> 
> All the world break their mailers at Wong's command because a half-baked
> idea is raved about without thinking.

"half-baked" - maybe that is appropriate.
I've been thinking lately that SPF is one of those "125mls of water in
a 250ml glass" things.
To some it is half full, to others it is half empty.

It's probably like monolithic kernels - there is no future in it!

NeilBrown

> 
> It's bad enough GMX are posting SPF records - I disabled SPF on my
> inbound path, because GMX enable a per-recipient configuration of this
> nonsense - I can't opt out of their posting SPF records though...
> 
> There's no need to repeat David's arguments counter to SPF for me.
> David's document says it all.
> 
> -- 
> Matthias Andree
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

Re: VGER does gradual SPF activation (FAQ matter)

[Alan Cox]

Ar Llu, 2006-06-12 am 19:47 +1000, ysgrifennodd Neil Brown:
> mailing list shortly before I had to unsubscribe) is to develop a
> mechanism to measure the credibility of new domains.  No point doing
> this until authenticity is fairly reliable, but once it is, that will
> be the next logical step.

Which is very very hard.

Think about it logically. Today to get a domain you need a credit/debit
card. A credit/debit card is ID managed by organisations very keen that
they don't get copied or faked. You are talking about building a
worldwide system that is more effective than the ones the banks run: for
a ten US dollar (ie peanuts and falling) value domain.

Alan

Re: VGER does gradual SPF activation (FAQ matter)

[Neil Brown]

On Monday June 12, alan@lxorguk.ukuu.org.uk wrote:
> Ar Llu, 2006-06-12 am 19:47 +1000, ysgrifennodd Neil Brown:
> > mailing list shortly before I had to unsubscribe) is to develop a
> > mechanism to measure the credibility of new domains.  No point doing
> > this until authenticity is fairly reliable, but once it is, that will
> > be the next logical step.
> 
> Which is very very hard.

We do hard things every day, don't we? 

> 
> Think about it logically. Today to get a domain you need a credit/debit
> card. A credit/debit card is ID managed by organisations very keen that
> they don't get copied or faked. You are talking about building a
> worldwide system that is more effective than the ones the banks run: for
> a ten US dollar (ie peanuts and falling) value domain.

Thinks about it creatively.
How many domains need to be able to send mail?  I suspect a tiny
fraction.
Having a domain that can be a web address and a destination for mail
is (I suspect) the greatest demand.  Having a domain that can send
mail it less important to many, but important enough to some that they
will pay.

Yes, it is hard, but if everyone says "that cannot work" we will never
move forward.  SPF may not be a big step forward, but I believe it is
a step forward (and at least it is a step!)

NeilBrown

Re: VGER does gradual SPF activation (FAQ matter)

[David Woodhouse]

On Mon, 2006-06-12 at 20:17 +1000, Neil Brown wrote:
> If you get a letter from your aunt in Rome, and it is post-marked
> 'Moscow', you might doubt the authenticity.

If my aunt lives in Rome but I get a postcard (or even a letter) from
her in Moscow, are you suggesting I should consign it to the dustbin
unread? That's what the SPF folks seem to want, and it works no better
in your snail mail analogy than it does in real life.

People travel. Mail gets forwarded.

>   If it claims to be from your swiss bank with the same post mark you
> would doubt it even more. 

In the case of mail from my bank, if it _had_ a postmark rather than
being pre-paid I would be suspicious.

The SPF folks would have me refuse mail from claiming to be from the
bank because it's actually delivered by my postman, and he doesn't work
for the bank therefore it must be a "forgery" (using their new
definition of that term).

Meanwhile, in the real world, I don't want to throw away valid mail. And
there are better ways of avoiding fakes, too. 

ObVger: we should probably enable sender verification callouts, if
they're not being done already. There's no justification for accepting
mail from an address which doesn't accept bounces. That would combat
forgery in a much saner manner.

-- 
dwmw2

Re: VGER does gradual SPF activation (FAQ matter)

[Neil Brown]

On Monday June 12, alan@lxorguk.ukuu.org.uk wrote:
> 
> SPF *would* be wonderful if the users controlled SPF handling and
> someone fixed the forwarding flaws in it, but neither is the case today.
> 

The "forwarding flaws" are not flaws in SPF but in SMTP practice.
I suspect they grew out of the multi-hop days of UUCP and similar
protocols, but it isn't appropriate in todays Internet.

A forwarded email is a new message and shouldn't claim to be from the
original sender.

I rent a home and occasionally get mail for the landlords which I
redirect to them.  If I mis-direct it, it should really come back to
me rather than the original sender (though the current postal system
doesn't actually encourage that). Of course my landlord needs to trust
me, but if they didn't they would have told everybody their new
address (and they have told most people).

Forwarding systems *Shouldn't* simply forward the mail.  They should
re-send it from a new origin.  If it bounces, there are various thing
that can be done, from human interaction, or disabling the forward for
future email, allowing customers to register backup addresses, or
having web-access to bounced mail or whatever.

Yes, people have to change their forwarding practices to be fully SPF
compliant, but that is a case of it is broke, and should be fixed
anyway.

NeilBrown

Re: VGER does gradual SPF activation (FAQ matter)

[Matthias Andree]

Neil Brown schrieb am 2006-06-12:

> Your screwdriver is leaking!
> 
> If you get a letter from your aunt in Rome, and it is post-marked
> 'Moscow', you might doubt the authenticity.

Family situation aside, if she's travelling and knows she's no longer
reachable in the place she stays in Moscow by the time when I get the
postcard/letter, it's perfectly reasonable to write her Italian return
address on the envelope.

For counter arguments versus your other points, see David Woodhouse's reply.

-- 
Matthias Andree

Re: VGER does gradual SPF activation (FAQ matter)

[Matthias Andree]

Bernd Petrovitsch schrieb am 2006-06-12:

> On Mon, 2006-06-12 at 10:53 +0100, Alan Cox wrote:
> > Ar Llu, 2006-06-12 am 10:18 +0200, ysgrifennodd Bernd Petrovitsch:
> > > No. SPF simply defines legitimate outgoing MTAs for a given domain.
> > 
> > No it does not. If it did it would be almost a usable idea, but it fails
> > because the ISP generally controls the definition and the users are more
> 
> ACK. The domain owner controls it. So if you are not happy with your
> domain owner .....

Are you suggesting everyone is going to become (= turn into, German
'werden') their own ISP hosting a gazillion of domains and renting half
a dozen root servers all over the place?

That isn't exactly the idea of being equal, equal rights, presumptions
of innocence and all that.

You're not going to kill spammers by shooting at innocent end users feet
to make them dance. The spammer has a motive to break any scheme, but if
it's SPF, what's it tomorrow?

This is just evasive talk of the SPF guys to not being held responsible
for the nonsense they created.

The SPF ppl are free to come back when the concept is complete and the
known shortcomings have been address, but until then they need to sit
down on their buttocks and fix up things.

-- 
Matthias Andree

Re: VGER does gradual SPF activation (FAQ matter)

[Matthias Andree]

Neil Brown schrieb am 2006-06-12:

> On Monday June 12, alan@lxorguk.ukuu.org.uk wrote:
> > 
> > SPF *would* be wonderful if the users controlled SPF handling and
> > someone fixed the forwarding flaws in it, but neither is the case today.
> > 
> 
> The "forwarding flaws" are not flaws in SPF but in SMTP practice.

No. SPF neglected existing SMTP practice when it was invented, the
typical sign of something engineered without respect for realities. It
has since been given a crutch named SRS, but it still can't walk. And
rather than fixing the SPF/SRS/... problems, their disciples advocate it
and tell all the world it needs to change.

Quite overstating their own importance I'd say.

> I suspect they grew out of the multi-hop days of UUCP and similar
> protocols, but it isn't appropriate in todays Internet.

Your suspicions are irrelevant, and thanks goodness neither Wong nor
Brown nor Matthias Anree are the absolute rulers of the internet.

> A forwarded email is a new message and shouldn't claim to be from the
> original sender.

A forwarded email conveys the same message as the originator sent,
it's a long way from being a new message. The time of monks copying
books is long past.

> Forwarding systems *Shouldn't* simply forward the mail.

I am controlling the forwarding system, and you aren't going to take it
away from me.

> Yes, people have to change their forwarding practices to be fully SPF
> compliant, but that is a case of it is broke, and should be fixed
> anyway.

Right, <twisting your words> SPF should be fixed.

-- 
Matthias Andree

Re: VGER does gradual SPF activation (FAQ matter)

[David Woodhouse]

On Mon, 2006-06-12 at 11:32 +0300, Matti Aarnio wrote:
> SPF is application level version of this type of source sanity
> enforcement, and all that I intend to do is to publish that TXT
> entry for VGER.  

Precisely _because_ SPF is at the application level, it doesn't make
sense. In the real world, you just can't assume that mail will arrived
_directly_ from the machine which originated it.

Think about what happens if you do your 'source IP sanity enforcement'
at the wrong level... if you insist that the MAC address on the Ethernet
packet you receive must match a MAC address published in DNS for that
host. If you do that, you _will_ break things because the Internet isn't
a single big Ethernet switch -- stuff gets _routed_. The same principle
applies to mail, and that's the problem with SPF.

You can make restrictions about which hosts may use your domain in HELO
(http://mipassoc.org/csv/), but linking domain names used in MAIL FROM:
to certain IP addresses is not compatible with current practice.

But let's back up a moment... precisely what is it that you think you
gain by publishing an SPF record for vger? There are almost certainly
better ways to achieve that goal, whatever it is.

You can address forgery _without_ having to break SMTP. I'd much rather
see vger doing DomainKeys/IIM and BATV.

I accept that you need to break eggs to make an omelette. But you don't
have to run amok in the kitchen, and smash the frying pan too.

-- 
dwmw2

Re: VGER does gradual SPF activation (FAQ matter)

[Nikita Danilov]

David Miller writes:
 > From: Lee Revell <rlrevell@joe-job.com>
 > Date: Sun, 11 Jun 2006 13:54:57 -0400
 > 
 > > On Sun, 2006-06-11 at 18:02 +0200, Folkert van Heusden wrote:
 > > > Hmmm.
 > > > What about using spamhaus.org sbl+xbl list?
 > > > I used to receive 1200 spam messages a day, with spamhaus only half of
 > > > that.
 > > 
 > > What about doing nothing?  The percentage of spam on LKML is vanishingly
 > > small.
 > 
 > We definitely need a better spam solution at vger, the reason is that
 > the current mechanism (ad-hoc by-hand regexp blocking) creates lots of
 > problems.  For one thing, it means that people with names in languages
 > other than english get blocked when their emails are quoted in
 > postings.  This is because we don't understand a lot of languages, so
 > we just regexp block multibyte characters typically assosciated with
 > that language in order to block spam written in that language.
 > 
 > That isn't acceptable in the long term.

Why? So far people managed to transcribe their names into English
alphabet without much trouble (and ado).

Nikita. (see? I do.)

Re: VGER does gradual SPF activation (FAQ matter)

[Kyle Moffett]

On Jun 12, 2006, at 04:18:06, Bernd Petrovitsch wrote:
> No. SPF simply defines legitimate outgoing MTAs for a given domain.

I'm sorry, but the internet just doesn't work that way.  I have 3  
email accounts (mac.com, vt.edu, and cox.net).  Both my college and  
my house deny all SMTP to anyone but their local servers.  If mac.com  
published an SPF filter and VGER used the SPF filter, I would have no  
way at all to send mail via this account, simply for the reason that  
neither of my local ISPs will allow my to directly send email to  
mac.com.  Likewise for my vt.edu account while at home or my cox.net  
account while at college.

IMHO, turning on SPF will not gain anything for the LKML; a bayesian  
filter based solution would be much more tenable.

Cheers,
Kyle Moffett

Re: VGER does gradual SPF activation (FAQ matter)

[Jeff Garzik]

David Miller wrote:
> We definitely need a better spam solution at vger, the reason is that
> the current mechanism (ad-hoc by-hand regexp blocking) creates lots of
> problems.  For one thing, it means that people with names in languages
> other than english get blocked when their emails are quoted in
> postings.  This is because we don't understand a lot of languages, so
> we just regexp block multibyte characters typically assosciated with
> that language in order to block spam written in that language.
> 
> That isn't acceptable in the long term.

Here's another vote against SPF.

FWIW, DomainKeys looks nice.


> To be honest I'm all for some kind of bayesian filter at vger as long
> as the rejected postings go somewhere into a folder I can scan every
> couple of days looking for false positives.

Though this may not be your thing, I've often thought that this sort of 
task would be an -excellent- janitor task.

Create two simple web pages, one that shows the last 24 hours' worth of 
LKML posts, and another one that shows the last 24 hours' worth of spam. 
  Allow any user on the Internet to report an LKML post as spam, or 
alternately, highlight a false positive as not-spam.  (perhaps generate 
one of those wavy-text verify-you-are-a-human graphics)

Then you, as admin, only have to click a button that accepts or rejects 
the submission(s).  If you want to scan it yourself for false positives, 
you just hit the same webpage as everybody else.

That feedback is then fed into the bayesian system, to train it using 
well-known methods.

	Jeff

Re: VGER does gradual SPF activation (FAQ matter)

[Simon Oosthoek]

Hi Matti

(please don't consider this a personal attack, just the idea is wrong to me)

Matti Aarnio wrote:
> 
> For a very long time (like 20 years or so) I used to think like that.
> 
> Doing email services in big ISP environments for about 10 years did
> cure me of that thinking.  Ordinary Janes and Joes (and grannies
> and granpas) must not be allowed to send email in similar ways that
> we used to do in happy 1980es when the internet was engineer playground.

This is so against the spirit and meaning of the Internet, you're not 
talking about the network we call Internet. You're talking about two 
tiered internet, which is bad too.

> The Internet needs to be segregated into two kinds of users - those that
> must not be allowed to do much of anything ( = common man to whom the
> internet equals anyway to IE web-browser ) and to first-class citizens
> with their own email servers...
> 

Why don't you go fork the Internet then? Go see if that will work?

This whole discussion is kind of ridiculous for an open source project 
like the linux kernel. If you're so keen on fixing e-mail, you should 
work closely with the IETF working groups to create a new standard that 
works.

Finally, if you consider doing this, why not consider closing the 
mailinglist to a subscription only list, that will work so much better 
than this "free lunch" (to quote someone else)

Cheers

Simon

Re: VGER does gradual SPF activation (FAQ matter)

[Russell King]

On Mon, Jun 12, 2006 at 07:57:22PM +1000, Neil Brown wrote:
> On Monday June 12, rmk+lkml@arm.linux.org.uk wrote:
> > On Mon, Jun 12, 2006 at 11:32:39AM +0300, Matti Aarnio wrote:
> > > SPF is application level version of this type of source sanity
> > > enforcement, and all that I intend to do is to publish that TXT
> > > entry for VGER.  Analyzing SPF data in incoming SMTP reception
> > > is a thing that I leave for latter phase  (how much latter,
> > > I can't say yet.)
> > 
> > In which case I have no option but to ask - Zwane, please stop using
> > my systems to forward your lkml email - Matti's proposed change will
> > potentially break that setup.
> 
> Of course you do have other options.

Since you haven't read my original reply to Matti, your comments aren't
appropriate for me since you don't know the full story.

However, I will point out that I'm at liberty to choose any option I
deem to be appropriate, for whatever reasons I feel appropriate.  In
this situation, I feel that withdrawing from providing mail forwarding
facilities is most appropriate.

I've been thinking about withdrawing that for some time for other
reasons - the SPF argument has provided another, and the final reason
to make it happen.

-- 
Russell King
 Linux kernel    2.6 ARM Linux   - http://www.arm.linux.org.uk/
 maintainer of:  2.6 Serial core

Re: VGER does gradual SPF activation (FAQ matter)

[Matthew Frost]

Matthias Andree wrote:
> On Sun, 11 Jun 2006, Matti Aarnio wrote:
...
> SPF is a non-starter.
> 
> Perhaps you should consider having filters look at the *content* of
> messages. Does it fit how common messages look on vger lists? Or does it
> look like the usual spam? bogofilter can to it. qsf can do it. spamprobe
> can do it.  crm114 can do it.  Some of these (bogofilter for instance)
> can ascertain how much it's spam, how much it's wanted, or if it's
> undecided.
> 

This is a great point; spam on linux-kernel, of all places, is notable 
by what it looks like.  Subject headers don't look right, and the 
content bears very little resemblance to l-k ham.  Maybe hand-filtering 
is catching the stuff that appears adapted to spoof legitimate kernel 
mail, but if so, it has a great track record.  Spammers don't seem to be 
targeting linux-kernel patterns.  Heck, I can train thunderbird to 
filter spam correctly by content for linux-kernel.  Bayesian works well. 
  Since it runs through Yahoo first, I often have to fight Yahoo for my 
legitimate email; that may change my mileage.  However, the other 
notable characteristic is the fact that this list ignores spam.  If it 
has a reply, it may be a flame, it may be a troll, but it hasn't ever 
been spam in my experience.

Why pursue brokenness unless it's your last resort?  You can break a lot 
of eggs without making anything edible, let alone an omelette.

Matt

Re: VGER does gradual SPF activation (FAQ matter)

[Gerhard Mack]

On Mon, 12 Jun 2006, jdow wrote:

> Date: Mon, 12 Jun 2006 01:23:30 -0700
> From: jdow <jdow@earthlink.net>
> To: Bernd Petrovitsch <bernd@firmix.at>
> Cc: davids@webmaster.com, linux-kernel@vger.kernel.org
> Subject: Re: VGER does gradual SPF activation (FAQ matter)
> 
> From: "Bernd Petrovitsch" <bernd@firmix.at>
> 
> > On Sat, 2006-06-10 at 22:17 -0700, jdow wrote:
> > [...]
> > > that matter. It simply says, "When I went and looked at the guy's claimed
> > > mail source the spf record said he was who he said he was." Who vouches
> > 
> > No. SPF simply defines legitimate outgoing MTAs for a given domain.
> > Within a domain, it is up to the postmaster to allow/disallow address
> > forgery and for the rest of a world (to tell where legitimate email of
> > his domain comes from), the postmaster defines SPF records.
> > 
> > Bernd
> 
> And just recently we received a spate of spam that came from a domain
> that disappeared almost immediately. Domain names are cheap. They can
> vouch for the spam run. Then what happens to them doesn't matter. But
> the SPF record passes.
> 
> {^_-}   There Ain't No Such Thing As A Free Lunch.
>        Too many people think SPF is a free lunch.

Look at it from a mail admin's perspective.  The bounces are now going 
nowhere instead of some poor user's mailbox.  You have just cut the damage 
in half.

Innerfire.net used to be foraged as a spam sender every other month and 
gmack@innerfire.net so often that I still have procmail filters to 
redirect bounces to their own folder.  The thousands of messages I was 
getting was infuriating but it has been a very rare event since I setup 
SPF on my domain.

SPF may not filter spam much but if you set it to autofail you can reduce 
the risk for innocent mail admins.

	Gerhard

--
Gerhard Mack

gmack@innerfire.net

<>< As a computer I find your faith in technology amusing.

Re: VGER does gradual SPF activation (FAQ matter)

[Krzysztof Halasa]

Gerhard Mack <gmack@innerfire.net> writes:

> Look at it from a mail admin's perspective.  The bounces are now going 
> nowhere instead of some poor user's mailbox.  You have just cut the damage 
> in half.

If people doing SPF configured their servers to reject obviously
bad messages before the SMTP transaction is completed (rather than
generating a bounce later) it would IMHO do much more good.
-- 
Krzysztof Halasa

Re: VGER does gradual SPF activation (FAQ matter)

[jdow]

From: "Krzysztof Halasa" <khc@pm.waw.pl>

> Gerhard Mack <gmack@innerfire.net> writes:
> 
>> Look at it from a mail admin's perspective.  The bounces are now going 
>> nowhere instead of some poor user's mailbox.  You have just cut the damage 
>> in half.
> 
> If people doing SPF configured their servers to reject obviously
> bad messages before the SMTP transaction is completed (rather than
> generating a bounce later) it would IMHO do much more good.

Krzysztof, the point here is that experience with active spam
filtering indicates that there is no such thing as "obviously bad
messages" that will not catch some good messages in its broad
brush. It will also let some not quite so obvious bad messages
through. SPF has ONE "fail" mode which is relatively good. Aside
from that it is as close to worthless for filtering spam as
anything else. It's a hint and nothing more.

SPF as a part of a fully configured anti-spam system has some use.
SPF used ALONE is as bad as SORBS used alone. You will suffer a
false alarm rate sufficient that most people would consider it quite
unacceptable.

Filtering on the basis of SPF records is not a technique that would
prove acceptable or practical for LKML. Nor will it materially stop
spam from determined spammers. The SPF record vouches for the email.
Who vouches for the SPF record?

Besides, I rather suspect everybody on this list is in a position
to and capable of setting up a decent spam filter for themselves.
I'm certainly not at the level of expertise of many or most of the
people active on this list. Yet I have a spam filter setup that has
not let a single spam leak through on this list in the last month.
Nor has it misfired once in the last month. I am not particularly
aggressive maintaining my rule sets. I don't touch them unless
something new annoys me or a spam escapes detection. About two
months ago the LKML and other similar open list spam leakage finally
"reached me." I looked at prior attempts to filter LKML. Noted what
worked and what didn't. And I ended up hitting a simple strategy.
(Unfortunately it is awkward with SpamAssassin. But it works.) I
basically make the low Bayes scores score even lower or even negative
for these "problem lists". I make the high Bayes scores score even
higher for these "problem lists". After that and with my prior Bayes
training spam from this list and others like it has simply gone away.

I used my head for something other than a hat rack for 15 minutes
to solve the problem the right way. I found a suitable wrench to
repair the email plumbing rather than beating it with a hammer or
prying at it with a screwdriver. SPF seems to be at best a MUNGED
hex key.

{^_^}   Joanne

Re: VGER does gradual SPF activation (FAQ matter)

[Krzysztof Halasa]

"jdow" <jdow@earthlink.net> writes:

> Krzysztof, the point here is that experience with active spam
> filtering indicates that there is no such thing as "obviously bad
> messages" that will not catch some good messages in its broad
> brush.

Sure, but if someone bounces a message for whatever reason I assume
it's (at that point) obviously bad. It doesn't necessarily means
spam, it might as well be a "detected virus", "user unknown" etc.
And yes, you can usually reject them in SMTP session. Doing that
fixes a real problem.
-- 
Krzysztof Halasa

Re: VGER does gradual SPF activation (FAQ matter)

[David Miller]

From: Jeff Garzik <jeff@garzik.org>
Date: Mon, 12 Jun 2006 10:52:32 -0400

> Create two simple web pages, one that shows the last 24 hours' worth of 
> LKML posts, and another one that shows the last 24 hours' worth of spam. 
>   Allow any user on the Internet to report an LKML post as spam, or 
> alternately, highlight a false positive as not-spam.  (perhaps generate 
> one of those wavy-text verify-you-are-a-human graphics)
> 
> Then you, as admin, only have to click a button that accepts or rejects 
> the submission(s).  If you want to scan it yourself for false positives, 
> you just hit the same webpage as everybody else.
> 
> That feedback is then fed into the bayesian system, to train it using 
> well-known methods.

I like this idea a lot.

Re: VGER does gradual SPF activation (FAQ matter)

[Zwane Mwaikambo]

On Mon, 12 Jun 2006, Russell King wrote:

> On Mon, Jun 12, 2006 at 11:32:39AM +0300, Matti Aarnio wrote:
> > SPF is application level version of this type of source sanity
> > enforcement, and all that I intend to do is to publish that TXT
> > entry for VGER.  Analyzing SPF data in incoming SMTP reception
> > is a thing that I leave for latter phase  (how much latter,
> > I can't say yet.)
> 
> In which case I have no option but to ask - Zwane, please stop using
> my systems to forward your lkml email - Matti's proposed change will
> potentially break that setup.

Thanks for the heads up Russell, i'll come up with an alternative.

Cheers,
	Zwane

Re: VGER does gradual SPF activation (FAQ matter)

[Horst von Brand]

Bernd Petrovitsch <bernd@firmix.at> wrote:
> On Sat, 2006-06-10 at 19:24 -0700, marty fouts wrote:

[...]

> > It doesn't work.

> It works if it is used correctly (as any tool in the world).

Right.

> The "problem" is that postmasters on the Net must do something

It took /years/ until open relays weren't common anymore... and that is a
/simple/ measure, on by default in newer upstream packages, no admin
intervention required. DNS works badly, here in Chile a mayor ISP had a
totally broken setup for many years.

>                                                                (namely
> 1) define if they want to allow others to detect forged emails claimed
> to come from their domain

They have /very/ little to gain by that, and setting it up correctly is a
mayor hassle. It breaks people sending mail "from" the domain when they
aren't there (this is rather common for people on the road), and has no
real fix. I.e., it won't ever be done. Or it will be tried, some email from
Big Cheese doesn't go through, and it will be axed.

>                           and 2) - if yes to 1) - to get appropriate SPF
> records into DNS)

Many people have no (or very little) control over their DNS data. A spammer
can then just claim it comes from one of the millions of SPF-less domains
in the world (if they don't set up their own SPFied one...). Besides,
discussions on the spamassassin lists show that SPFied email is a rather
reliable indicator of spam as things stand today...

>                   and people must either use a "good" mail relay (and
> not just the one next door) or convince postmasters to change the SPF
> records.

Won't happen.

> > It'll break standard-abiding email.

> As you see, standards change.

Yep. But SPF breaks email, not just changes the standard. For no gain at all.

> > Do you really want that?

> Yes. Especially gmail.com should do such a thing - there is such a lot
> of - presumbly forged - @gmail.com mails in my mailboxes that
> blacklisting the whole domain causes probably more good than bad (for
> me, of course).

There is spam that really comes from gmail...
-- 
Dr. Horst H. von Brand                   User #22616 counter.li.org
Departamento de Informatica                     Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria              +56 32 654239
Casilla 110-V, Valparaiso, Chile                Fax:  +56 32 797513

Re: VGER does gradual SPF activation (FAQ matter)

[Nick Warne]

I have been following this closely, and without getting into the
discussion re SPF, I think one issue especially affecting LKML is the
traffic.

One (almost sure) fire way to stop the spam is to make a subscribed
ML.  But people like myself cannot/have not the resource to take on
the 200+ mails a day (how the kernel devs manage it, I don't know?).

So I have subscribed via my gmail account to follow the mails, but
then at least I can reply from my 'real address' and keep the thread
intact (if you see what I mean).

So, why not make the list a subscribe only list to SEND, but give an
option to NOT receive any mail from the list unless CC'ed?

Nick

On 12/06/06, Horst von Brand <vonbrand@inf.utfsm.cl> wrote:
> Bernd Petrovitsch <bernd@firmix.at> wrote:
> > On Sat, 2006-06-10 at 19:24 -0700, marty fouts wrote:
>
> [...]
>
> > > It doesn't work.
>
> > It works if it is used correctly (as any tool in the world).
>
> Right.
>
> > The "problem" is that postmasters on the Net must do something
>
> It took /years/ until open relays weren't common anymore... and that is a
> /simple/ measure, on by default in newer upstream packages, no admin
> intervention required. DNS works badly, here in Chile a mayor ISP had a
> totally broken setup for many years.
>
> >                                                                (namely
> > 1) define if they want to allow others to detect forged emails claimed
> > to come from their domain
>
> They have /very/ little to gain by that, and setting it up correctly is a
> mayor hassle. It breaks people sending mail "from" the domain when they
> aren't there (this is rather common for people on the road), and has no
> real fix. I.e., it won't ever be done. Or it will be tried, some email from
> Big Cheese doesn't go through, and it will be axed.
>
> >                           and 2) - if yes to 1) - to get appropriate SPF
> > records into DNS)
>
> Many people have no (or very little) control over their DNS data. A spammer
> can then just claim it comes from one of the millions of SPF-less domains
> in the world (if they don't set up their own SPFied one...). Besides,
> discussions on the spamassassin lists show that SPFied email is a rather
> reliable indicator of spam as things stand today...
>
> >                   and people must either use a "good" mail relay (and
> > not just the one next door) or convince postmasters to change the SPF
> > records.
>
> Won't happen.
>
> > > It'll break standard-abiding email.
>
> > As you see, standards change.
>
> Yep. But SPF breaks email, not just changes the standard. For no gain at
> all.
>
> > > Do you really want that?
>
> > Yes. Especially gmail.com should do such a thing - there is such a lot
> > of - presumbly forged - @gmail.com mails in my mailboxes that
> > blacklisting the whole domain causes probably more good than bad (for
> > me, of course).
>
> There is spam that really comes from gmail...
> --
> Dr. Horst H. von Brand                   User #22616 counter.li.org
> Departamento de Informatica                     Fono: +56 32 654431
> Universidad Tecnica Federico Santa Maria              +56 32 654239
> Casilla 110-V, Valparaiso, Chile                Fax:  +56 32 797513
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

Re: VGER does gradual SPF activation (FAQ matter)

[Bernd Petrovitsch]

On Mon, 2006-06-12 at 16:25 -0400, Horst von Brand wrote:
> Bernd Petrovitsch <bernd@firmix.at> wrote:
[...]
> > The "problem" is that postmasters on the Net must do something
> 
> It took /years/ until open relays weren't common anymore... and that is a

ACK. And it will take years to somwhat get a grip on the the spam
problem. And will take more "tools" than SPF.

> /simple/ measure, on by default in newer upstream packages, no admin
> intervention required. DNS works badly, here in Chile a mayor ISP had a

Well, the only necessary admin intervention was "update that MTA
package". This seems trivial and no work for people used to
yum/apt-get/urpmi/red-carpet/... but it looked quite differently 10
years ago for other OSs (Win*, Solaris 2.5, etc., hell, I knew of a
third-party MTA on Novell 3.12 where it was not even possible to
deactivate relaying).

> totally broken setup for many years.

It was an interesting experience in Austria for (mostly small) ISPs that
from one day to another email delivery didn't work anymore. No wonder
since they had almost no reverse DNS zones .... 

> >                                                                (namely
> > 1) define if they want to allow others to detect forged emails claimed
> > to come from their domain
> 
> They have /very/ little to gain by that, and setting it up correctly is a
> mayor hassle. It breaks people sending mail "from" the domain when they
> aren't there (this is rather common for people on the road), and has no
> real fix. I.e., it won't ever be done. Or it will be tried, some email from

Use secure authenticated mail submission on a known good MTA of said
domain (and even the smallest ISP should be able to set that up).
Yes, this seems like a waste of everything - but IMHO neglectable
compared to the ressources wasted by spam.

> Big Cheese doesn't go through, and it will be axed.
> 
> >                           and 2) - if yes to 1) - to get appropriate SPF
> > records into DNS)
> 
> Many people have no (or very little) control over their DNS data. A spammer
> can then just claim it comes from one of the millions of SPF-less domains
> in the world (if they don't set up their own SPFied one...). Besides,
> discussions on the spamassassin lists show that SPFied email is a rather
> reliable indicator of spam as things stand today...

Apparently spammers are faster to adopt new developments and standards
than others. SCNR ...

> >                   and people must either use a "good" mail relay (and
> > not just the one next door) or convince postmasters to change the SPF
> > records.
> 
> Won't happen.
> 
> > > It'll break standard-abiding email.
> 
> > As you see, standards change.
> 
> Yep. But SPF breaks email, not just changes the standard. For no gain at all.

Well, if you run a mail server behind a quite small line and some
spammer really forges your domain in the From: so that it takes 4 days
(yes, 96 hours) so that the bounce storm calms down and legitimate mail
can be processed again, means against trivial domain forgeries make
sense.

> > > Do you really want that?
> 
> > Yes. Especially gmail.com should do such a thing - there is such a lot
> > of - presumbly forged - @gmail.com mails in my mailboxes that
> > blacklisting the whole domain causes probably more good than bad (for
> > me, of course).
> 
> There is spam that really comes from gmail...

Probably. But this is a problem gmail must (and only can) solve.

	Bernd
-- 
Firmix Software GmbH                   http://www.firmix.at/
mobil: +43 664 4416156                 fax: +43 1 7890849-55
          Embedded Linux Development and Services

Re: VGER does gradual SPF activation (FAQ matter)

[Bernd Petrovitsch]

On Mon, 2006-06-12 at 20:14 +0200, Krzysztof Halasa wrote:
> Gerhard Mack <gmack@innerfire.net> writes:
> 
> > Look at it from a mail admin's perspective.  The bounces are now going 
> > nowhere instead of some poor user's mailbox.  You have just cut the damage 
> > in half.
> 
> If people doing SPF configured their servers to reject obviously
> bad messages before the SMTP transaction is completed (rather than
> generating a bounce later) it would IMHO do much more good.

In general that's the only sane way to reject detected spam mails (for
whatever the admin defines as "detected spam") - not only if you use
SPF.

	Bernd
-- 
Firmix Software GmbH                   http://www.firmix.at/
mobil: +43 664 4416156                 fax: +43 1 7890849-55
          Embedded Linux Development and Services

Re: VGER does gradual SPF activation (FAQ matter)

[Jesper Juhl]

On 12/06/06, Nick Warne <nick.warne@gmail.com> wrote:
> I have been following this closely, and without getting into the
> discussion re SPF, I think one issue especially affecting LKML is the
> traffic.
>
> One (almost sure) fire way to stop the spam is to make a subscribed
> ML.  But people like myself cannot/have not the resource to take on
> the 200+ mails a day (how the kernel devs manage it, I don't know?).
>
> So I have subscribed via my gmail account to follow the mails, but
> then at least I can reply from my 'real address' and keep the thread
> intact (if you see what I mean).
>
> So, why not make the list a subscribe only list to SEND, but give an
> option to NOT receive any mail from the list unless CC'ed?
>

Making subscription to LKML a requirement would be a major barier for
people who just want to shoot off a bug report or similar but who do
not want to be subscribed (nor can be botherd to go through the
motions to subscribe, or perhaps can't work out how to subscribe)...
We want users to be able to submit bugreports to the list easily.

-- 
Jesper Juhl <jesper.juhl@gmail.com>
Don't top-post  http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please      http://www.expita.com/nomime.html

Re: VGER does gradual SPF activation (FAQ matter)

[Randy.Dunlap]

On Tue, 13 Jun 2006 00:06:52 +0200 Jesper Juhl wrote:

> On 12/06/06, Nick Warne <nick.warne@gmail.com> wrote:
> > I have been following this closely, and without getting into the
> > discussion re SPF, I think one issue especially affecting LKML is the
> > traffic.
> >
> > One (almost sure) fire way to stop the spam is to make a subscribed
> > ML.  But people like myself cannot/have not the resource to take on
> > the 200+ mails a day (how the kernel devs manage it, I don't know?).
> >
> > So I have subscribed via my gmail account to follow the mails, but
> > then at least I can reply from my 'real address' and keep the thread
> > intact (if you see what I mean).
> >
> > So, why not make the list a subscribe only list to SEND, but give an
> > option to NOT receive any mail from the list unless CC'ed?
> >
> 
> Making subscription to LKML a requirement would be a major barier for
> people who just want to shoot off a bug report or similar but who do
> not want to be subscribed (nor can be botherd to go through the
> motions to subscribe, or perhaps can't work out how to subscribe)...
> We want users to be able to submit bugreports to the list easily.

or they could use bugzilla.kernel.org ...

---
~Randy

Re: VGER does gradual SPF activation (FAQ matter)

[Jesper Juhl]

On 12/06/06, David Miller <davem@davemloft.net> wrote:
> From: Jeff Garzik <jeff@garzik.org>
> Date: Mon, 12 Jun 2006 10:52:32 -0400
>
> > Create two simple web pages, one that shows the last 24 hours' worth of
> > LKML posts, and another one that shows the last 24 hours' worth of spam.
> >   Allow any user on the Internet to report an LKML post as spam, or
> > alternately, highlight a false positive as not-spam.  (perhaps generate
> > one of those wavy-text verify-you-are-a-human graphics)
> >
> > Then you, as admin, only have to click a button that accepts or rejects
> > the submission(s).  If you want to scan it yourself for false positives,
> > you just hit the same webpage as everybody else.
> >
> > That feedback is then fed into the bayesian system, to train it using
> > well-known methods.
>
> I like this idea a lot.

It's a lot more sane than SPF, that's for sure.

I'd suggest taking a look at DSPAM (http://dspam.nuclearelephant.com/)
for something like that.

But, there are also other, and even simpler, options.
I've personally found that using some of the build-in anti-spam
features in postfix can be used to stop a lot of spam with almost zero
impact on ham. While some of the features do affect some ham, there
are a few that almost never do, yet they stop quite a bit of spam :


  smtpd_client_restrictions =
    reject_unauth_pipelining

Reject the mail if the sending server tries to send SMTP commands
ahead of time without first checking if the server supports
pipelining.
I've only ever seen obvious spam sources being rejected by this.


  smtpd_helo_required = yes

Mail servers that can't be bothered to send any HELO/EHLO at all are
in my experience only spam sources.


  smtpd_helo_restrictions =
    reject_invalid_hostname,

This will reject mail from servers that send a hostname in HELO/EHLO
that has bad syntax or invalid characters. I've never seen this one
reject valid senders, but I have seen it reject a lot of spam sources.
 Postfix also has other more strict checks you can enable on helo, but
those tend to reject too much valid mail.


  strict_rfc821_envelopes = yes

This rejects some spam from spambots that don't know how to generate a
proper mail. I've on occasion seen it hit valid senders, but very
rarely.


  smtpd_sender_restrictions =
    reject_non_fqdn_sender,
    reject_unknown_sender_domain

This will reject mail with senders without a fully qualified name as
well as sender addresses where the sender domain does not have an A or
MX record.
This stops a lot of spam on my servers and I've never had any problems
with it since what's the point of accepting a mail from somewhere that
you can't reply back to...


  smtpd_recipient_restrictions =
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain

Same as for senders, reject the mail if the recipient domain i not
fully qualified or the recipient domain has no A or MX record.


Implementing these things should have a minimum of impact on ham on
vger, but should stop a fair amount of spam - at least they do for me,
and my servers at work pass hundreds of thousands of messages daily
without users complaining about these settings and I can see in the
logs that they stop quite a lot of junk.


-- 
Jesper Juhl <jesper.juhl@gmail.com>
Don't top-post  http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please      http://www.expita.com/nomime.html

Re: VGER does gradual SPF activation (FAQ matter)

[David Miller]

From: "Jesper Juhl" <jesper.juhl@gmail.com>
Date: Tue, 13 Jun 2006 00:29:46 +0200

> features in postfix

We use zmailer, so any suggestions will need to be codified
in zmailers configuration framework :-)

Re: VGER does gradual SPF activation (FAQ matter)

[Matthias Andree]

On Mon, 12 Jun 2006, Simon Oosthoek wrote:

> Finally, if you consider doing this, why not consider closing the 
> mailinglist to a subscription only list, that will work so much better 
> than this "free lunch" (to quote someone else)

OK, this was suggested elsewhere, and often, and list regulars keep
replying they want the list open for bug submissions.  Bugzilla for this
task of bug reporting aside, if the list is closed, it seems someone
will have to moderate messages from non-subscribers and allow sane ones
to pass and discard the advertising.

This is where Bayesian filtering can also help, by sorting out which
message is likely spam and which is likely not and reducing the strain
on the Bayesian filtering database janitors.

Perhaps this is an acceptable compromise, but judging from past
experience, I'd say it shouldn't be a promise but rather requires some
information, such as knowing which percentage of postings are from
unsubscribed list members. Are the numbers relevant at all?

-- 
Matthias Andree

Re: VGER does gradual SPF activation (FAQ matter)

[Jesper Juhl]

On 13/06/06, David Miller <davem@davemloft.net> wrote:
> From: "Jesper Juhl" <jesper.juhl@gmail.com>
> Date: Tue, 13 Jun 2006 00:29:46 +0200
>
> > features in postfix
>
> We use zmailer, so any suggestions will need to be codified
> in zmailers configuration framework :-)
>
Heh, ok, I've never used zmailer, so I wouldn't know how to do that,
but perhaps someone else could work out how to do those things with
zmailer...
But, the main point was to point out some good things to implement
that can stop a lot of spam without impacting ham in any significant
way. The fact that I personally use postfix to do these things is not
so important, what's important is how the measures work - finding a
way to implement them with any other MTA should be possible :)


-- 
Jesper Juhl <jesper.juhl@gmail.com>
Don't top-post  http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please      http://www.expita.com/nomime.html

Re: VGER does gradual SPF activation (FAQ matter)

[jdow]

From: "Jesper Juhl" <jesper.juhl@gmail.com>

> On 12/06/06, Nick Warne <nick.warne@gmail.com> wrote:
>> I have been following this closely, and without getting into the
>> discussion re SPF, I think one issue especially affecting LKML is the
>> traffic.
>>
>> One (almost sure) fire way to stop the spam is to make a subscribed
>> ML.  But people like myself cannot/have not the resource to take on
>> the 200+ mails a day (how the kernel devs manage it, I don't know?).
>>
>> So I have subscribed via my gmail account to follow the mails, but
>> then at least I can reply from my 'real address' and keep the thread
>> intact (if you see what I mean).
>>
>> So, why not make the list a subscribe only list to SEND, but give an
>> option to NOT receive any mail from the list unless CC'ed?
>>
> 
> Making subscription to LKML a requirement would be a major barier for
> people who just want to shoot off a bug report or similar but who do
> not want to be subscribed (nor can be botherd to go through the
> motions to subscribe, or perhaps can't work out how to subscribe)...
> We want users to be able to submit bugreports to the list easily.

Greylist those who have not subscribed. Let their email server try
again in 30 minutes. For those who are not subscribed it should not
matter if their message is delayed 30 minutes. And so far spammers
never try again. That's FAR more likely to nail spam than using SPF
as a singular measure. It doesn't even require the remote DNS
transaction to check an SPF record.

{^_^}   Joanne

Re: VGER does gradual SPF activation (FAQ matter)

[Phil Oester]

On Tue, Jun 13, 2006 at 12:06:52AM +0200, Jesper Juhl wrote:
> Making subscription to LKML a requirement would be a major barier for
> people who just want to shoot off a bug report or similar but who do
> not want to be subscribed (nor can be botherd to go through the
> motions to subscribe, or perhaps can't work out how to subscribe)...
> We want users to be able to submit bugreports to the list easily.

The rejection sent to non-subscribers could point them to a website
where they could submit a message via a webform (after correctly
entering the contents of a CAPTCHA).  

Phil

Re: VGER does gradual SPF activation (FAQ matter)

[David Woodhouse]

On Mon, 2006-06-12 at 11:05 +0200, Matthias Andree wrote:
> I believe checking Received: headers of backscatter (that term is used
> in Postfix discussions for "back falling junk") catches a fair amount
> of that junk. 

Backscatter is trivial to deal with by other means -- like BATV.

Presumably we'd never accept bounces to the list addresses _anyway_,
since the lists never send mail from their canonical address.

-- 
dwmw2

Re: VGER does gradual SPF activation (FAQ matter)

[David Miller]

From: Phil Oester <kernel@linuxace.com>
Date: Mon, 12 Jun 2006 17:11:01 -0700

> On Tue, Jun 13, 2006 at 12:06:52AM +0200, Jesper Juhl wrote:
> > Making subscription to LKML a requirement would be a major barier for
> > people who just want to shoot off a bug report or similar but who do
> > not want to be subscribed (nor can be botherd to go through the
> > motions to subscribe, or perhaps can't work out how to subscribe)...
> > We want users to be able to submit bugreports to the list easily.
> 
> The rejection sent to non-subscribers could point them to a website
> where they could submit a message via a webform (after correctly
> entering the contents of a CAPTCHA).  

No way, too much work.  If plain email doesn't work, people will
throw up their hands and say "why bother?"  We don't want to do
one iota of something which will even possibly deter a bug report
because we need as much information about bugs as possible.

Re: VGER does gradual SPF activation (FAQ matter)

[Horst von Brand]

jdow <jdow@earthlink.net> wrote:

[...]

> Greylist those who have not subscribed.

That is not easy to do.

>                                         Let their email server try
> again in 30 minutes. For those who are not subscribed it should not
> matter if their message is delayed 30 minutes. And so far spammers
> never try again.

Wrong. Greylisting does stop an immense amount of spam here, but a lot
comes through.

>                  That's FAR more likely to nail spam than using SPF
> as a singular measure. It doesn't even require the remote DNS
> transaction to check an SPF record.

Right.
-- 
Dr. Horst H. von Brand                   User #22616 counter.li.org
Departamento de Informatica                     Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria              +56 32 654239
Casilla 110-V, Valparaiso, Chile                Fax:  +56 32 797513

Re: VGER does gradual SPF activation (FAQ matter)

[Horst von Brand]

Bernd Petrovitsch <bernd@firmix.at> wrote:

[...]

> Use secure authenticated mail submission on a known good MTA of said
> domain (and even the smallest ISP should be able to set that up).

So what? What should me make me trust some domain that I've never before
heard of is correctly set up? No, "package it up so the dumbest admin on
Earth can set it up" helps not an iota, they sure will.

[...]

> Apparently spammers are faster to adopt new developments and standards
> than others. SCNR ...

Bingo! It is their /bussiness/ you are killing, after all...
-- 
Dr. Horst H. von Brand                   User #22616 counter.li.org
Departamento de Informatica                     Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria              +56 32 654239
Casilla 110-V, Valparaiso, Chile                Fax:  +56 32 797513

Re: VGER does gradual SPF activation (FAQ matter) - Alternative

[Marc Perkel]

For what it's worth, I do front end spam filtering for domains and I 
will volunteer to filter the spam for this list.

Here's my reference:
http://www.junkemailfilter.com/dvorak.mp3
It's an MP3 from This Week in technology.

However - the spam problem on this list isn't too bad.

Re: VGER does gradual SPF activation (FAQ matter)

[Willy Tarreau]

On Mon, Jun 12, 2006 at 05:26:23PM -0700, David Miller wrote:
> From: Phil Oester <kernel@linuxace.com>
> Date: Mon, 12 Jun 2006 17:11:01 -0700
> 
> > On Tue, Jun 13, 2006 at 12:06:52AM +0200, Jesper Juhl wrote:
> > > Making subscription to LKML a requirement would be a major barier for
> > > people who just want to shoot off a bug report or similar but who do
> > > not want to be subscribed (nor can be botherd to go through the
> > > motions to subscribe, or perhaps can't work out how to subscribe)...
> > > We want users to be able to submit bugreports to the list easily.
> > 
> > The rejection sent to non-subscribers could point them to a website
> > where they could submit a message via a webform (after correctly
> > entering the contents of a CAPTCHA).  
> 
> No way, too much work.  If plain email doesn't work, people will
> throw up their hands and say "why bother?"  We don't want to do
> one iota of something which will even possibly deter a bug report
> because we need as much information about bugs as possible.

I agree with you David. I had to report a bug to the NTP mailing list. I
got it back right in my face because I had not subscribed. Then I went
to thei bugzilla interface... What a counter-intuitive tool ! I was about
to give up at least 3 times. It took me at least 15 minutes to find how I
could report my bug and provide the patch in a usable form. I'm really
sure that a lot of bug reports get lost because of this !

I'd rather get a few spams on LKML than lose bug reports because of
discouraged users !

Cheers,
Willy

Re: VGER does gradual SPF activation (FAQ matter) - Alternative

[David Miller]

From: Marc Perkel <marc@perkel.com>
Date: Mon, 12 Jun 2006 20:54:06 -0700

> For what it's worth, I do front end spam filtering for domains and I 
> will volunteer to filter the spam for this list.

I don't know... the track record for your the email address
subscriptions for perkel.com on vger.kernel.org isn't all that great
:-)

! egrep perkel.com /var/log/del-log 
1126508199 davem marc@perkel.com linux-kernel user unknown
1127412390 davem marc@perkel.com linux-kernel redhat@perkel.com: Unrouteable address
1128312934 davem marc@perkel.com linux-kernel redhat@perkel.com: 550 REJECTED - User not found
1128627445 davem marc@perkel.com linux-kernel redhat@perkel.com: unrouteable address
1129247390 davem marc@perkel.com linux-kernel user unknown
1130807755 davem marc@perkel.com linux-kernel redhat@perkel.com: 550 REJECTED - User not found
1131385740 davem marc@perkel.com linux-kernel user unknown
1136501663 davem marc@perkel.com linux-kernel 421 Lost incoming connection: The error was detected in line 3.

Re: VGER does gradual SPF activation (FAQ matter)

[jdow]

From: "Horst von Brand" <vonbrand@inf.utfsm.cl>

> jdow <jdow@earthlink.net> wrote:
> 
> [...]
> 
>> Greylist those who have not subscribed.
> 
> That is not easy to do.

Somebody needs to write the code to make it easy to do for a list
server. It should not be hard to do.

>>                                         Let their email server try
>> again in 30 minutes. For those who are not subscribed it should not
>> matter if their message is delayed 30 minutes. And so far spammers
>> never try again.
> 
> Wrong. Greylisting does stop an immense amount of spam here, but a lot
> comes through.

So if it's not perfect it's not worth doing at all, eh? Yet you think
SPF, which is FAR less suited as a spam preventative, is a single
point solution. Double think was supposed to have come and gone in
1984, I thought.

{^_^}

Re: VGER does gradual SPF activation (FAQ matter)

[Bernd Petrovitsch]

On Mon, 2006-06-12 at 23:05 -0400, Horst von Brand wrote:
> Bernd Petrovitsch <bernd@firmix.at> wrote:
[...]
> > Use secure authenticated mail submission on a known good MTA of said
> > domain (and even the smallest ISP should be able to set that up).
> 
> So what? What should me make me trust some domain that I've never before

Well, so everyone can send email through an MTA (the email accounts
"home MTA") covered in the SPF records.

> heard of is correctly set up? No, "package it up so the dumbest admin on

What makes you believe that the domains you heard of are setup
correctly?
Of course for some/several/many of them you know (because you or
trustfully people administrate them or the domain setup look like sane
to the rest of the world), but for other (including "well known")
domains and in the long run?

If the point was: "We want tolerate ill-adminned domains."
That depends on the error hypotheses and which ill behaviour one wants
to tolerate ......

> Earth can set it up" helps not an iota, they sure will.

I'm not designing (or propagating) anything for dumb admins (they will
screw up anything anyways and an admin knows per definition what s/he is
doing) but it is enough for sane (but also overloaded - so it should not
be too much of a hassle) admins.

	Bernd
-- 
Firmix Software GmbH                   http://www.firmix.at/
mobil: +43 664 4416156                 fax: +43 1 7890849-55
          Embedded Linux Development and Services

Re: VGER does gradual SPF activation (FAQ matter)

[Bernd Petrovitsch]

On Mon, 2006-06-12 at 22:54 -0700, jdow wrote:
> From: "Horst von Brand" <vonbrand@inf.utfsm.cl>
> > jdow <jdow@earthlink.net> wrote:
[...]
> >> Greylist those who have not subscribed.
[...]
> >>                                         Let their email server try
> >> again in 30 minutes. For those who are not subscribed it should not
> >> matter if their message is delayed 30 minutes. And so far spammers
> >> never try again.
> > 
> > Wrong. Greylisting does stop an immense amount of spam here, but a lot
> > comes through.

On one low traffic domain, we perceived 50% less spam with greylisting.
But spam is rising.

> So if it's not perfect it's not worth doing at all, eh? Yet you think

It works now but the next generation viruses/trojans/.... will have real
MTA functionality (i.e. SMTP 100% correct) and it is not a problem since
the zombie nets are large enough that that won't hurt anyone really.

> SPF, which is FAR less suited as a spam preventative, is a single

No means alone will kill spam (except making email as such as expensive
as snail mail). So comparing different means makes no sense.

	Bernd
-- 
Firmix Software GmbH                   http://www.firmix.at/
mobil: +43 664 4416156                 fax: +43 1 7890849-55
          Embedded Linux Development and Services

Re: VGER does gradual SPF activation (FAQ matter)

[David Woodhouse]

On Mon, 2006-06-12 at 23:00 -0400, Horst von Brand wrote:
> > Greylist those who have not subscribed.
> 
> That is not easy to do. 

It's fairly trivial with a decent MTA. I use all kinds of conditions to
trigger greylisting -- HTML mail, 'Re:' in subject with no References:,
lack of reverse DNS or CSA on the sending host, >=0.1 SA points, etc.
Adding "is not subscribed to the mailing list they're trying to post to"
should be trivial.

-- 
dwmw2

Re: VGER does gradual SPF activation (FAQ matter)

[Marc Perkel]

jdow wrote:
> From: "Horst von Brand" <vonbrand@inf.utfsm.cl>
>
>> jdow <jdow@earthlink.net> wrote:
>>
>> [...]
>>
>>> Greylist those who have not subscribed.
>>
>> That is not easy to do.
>
> Somebody needs to write the code to make it easy to do for a list
> server. It should not be hard to do.
>
>

Actually if you are running Exim for an MTA it would be quite easy to 
do. What's your MTA?

Re: VGER does gradual SPF activation (FAQ matter)

[Matthias Andree]

On Tue, 13 Jun 2006, David Woodhouse wrote:

> On Mon, 2006-06-12 at 23:00 -0400, Horst von Brand wrote:
> > > Greylist those who have not subscribed.
> > 
> > That is not easy to do. 
> 
> It's fairly trivial with a decent MTA. I use all kinds of conditions to
> trigger greylisting -- HTML mail, 'Re:' in subject with no References:,
> lack of reverse DNS or CSA on the sending host, >=0.1 SA points, etc.
> Adding "is not subscribed to the mailing list they're trying to post to"
> should be trivial.

Given that list drivers are separate from the MTA (and that's good),
it's less trivial than simple looking at message headers or DNS info
that the MTA shuffles around anyways. The MTA doesn't need the
subscription list however, since "exploding" the subscriber list is a
separate problem handled by Majordomo, Mailman, Sympa, whatever.

-- 
Matthias Andree

Re: VGER does gradual SPF activation (FAQ matter)

[Matthias Andree]

Bernd Petrovitsch schrieb am 2006-06-13:

> On Mon, 2006-06-12 at 23:05 -0400, Horst von Brand wrote:
> > Bernd Petrovitsch <bernd@firmix.at> wrote:
> [...]
> > > Use secure authenticated mail submission on a known good MTA of said
> > > domain (and even the smallest ISP should be able to set that up).
> > 
> > So what? What should me make me trust some domain that I've never before
> 
> Well, so everyone can send email through an MTA (the email accounts
> "home MTA") covered in the SPF records.

As (1) SPF this is demonstrably useless to establish trust and (2) the
argument that SPF doesn't provide the required blacklist information
hasn't been countered yet, it follows that
SPF just makes life harder for everyone without real benefits in return.

SPF also prefers end-to-end mailings and falls short when relays are
used - but these are advocated by the SPF disciples.

Can this SPF madness please be buried now?

-- 
Matthias Andree

Re: VGER does gradual SPF activation (FAQ matter)

[David Woodhouse]

On Tue, 2006-06-13 at 12:45 +0200, Matthias Andree wrote:
> > It's fairly trivial with a decent MTA. I use all kinds of conditions to
> > trigger greylisting -- HTML mail, 'Re:' in subject with no References:,
> > lack of reverse DNS or CSA on the sending host, >=0.1 SA points, etc.
> > Adding "is not subscribed to the mailing list they're trying to post to"
> > should be trivial.
> 
> Given that list drivers are separate from the MTA (and that's good),

I'm unconvinced of the goodness of that. With a suitably capable MTA,
there isn't a huge reason not to have the basic receive-and-resend mail
path handled _entirely_ by the MTA, rather than pawning it off to
separate software. Obviously the interface to subscribers, be it through
email or http, wants to be separate -- but receiving and sending email
is what an MTA does best. And I've learned to hate mailman with a
vengeance -- I've been meaning to investigate exilist for some time now,
for my mailing lists.

http://duncanthrax.net/exilist-distro/

> it's less trivial than simple looking at message headers or DNS info
> that the MTA shuffles around anyways. The MTA doesn't need the
> subscription list however, since "exploding" the subscriber list is a
> separate problem handled by Majordomo, Mailman, Sympa, whatever. 

Even if you have a cron job which extracts the subscriber list into a
text file or other database which is used by the MTA, it isn't
particularly hard. In many cases, Exim should probably be able to read
the subscriber database directly, anyway.

Actually, just tagging _all_ posts to the list for greylisting is
probably OK as long as you're doing your greylisting sensibly. The thing
about greylisting is that you're checking to see if it's a dump-and-run
spammer, or whether it's a real mail host with a queue. Once a given
host is observed to actually retry and get past the greylisting, there's
little point in _ever_ greylisting mail from that host again anyway.

If you get that right, it doesn't matter if you tag every incoming mail
to the list for greylisting; it doesn't keep causing delays to people
who've got mail through before.

-- 
dwmw2

Re: VGER does gradual SPF activation (FAQ matter)

[Matthias Andree]

(cutting Cc list short)

On Tue, 13 Jun 2006, David Woodhouse wrote:

> > Given that list drivers are separate from the MTA (and that's good),
> 
> I'm unconvinced of the goodness of that.

Separating tasks into distinct processes, to prevent rampant list
drivers from messing with the MTA and vice versa.

I'm also not convinced greylisting is a "solution". Once it catches on,
spammers will retry. They control enough drones where smashing out
successful deliveries from their address list and retrying them will
work for them.

-- 
Matthias Andree

Re: VGER does gradual SPF activation (FAQ matter)

[David Woodhouse]

On Tue, 2006-06-13 at 14:49 +0200, Matthias Andree wrote:
> Separating tasks into distinct processes, to prevent rampant list
> drivers from messing with the MTA and vice versa.

We're talking about _one_ task; receiving mail to one address, and
delivering it to other addresses. That's what the MTA _does_ -- all it
needs from the mailing list side is the list of recipients.

I wouldn't want to put all the bounce processing &c into the MTA, but
basic handling of list traffic does make a certain amount of sense. In
expanding a simple list, there isn't much scope for 'rampant list
drivers' to screw anything up.

> I'm also not convinced greylisting is a "solution". Once it catches on,
> spammers will retry. They control enough drones where smashing out
> successful deliveries from their address list and retrying them will
> work for them. 

You may be right. But still, it keeps us ahead of the game and it's very
effective right now -- partly because lots of people still _aren't_
using it. It does require a modicum of clue to implement.

I think it'll be a long time before greylisting is no longer beneficial,
if it ever does happen.

-- 
dwmw2

Re: VGER does gradual SPF activation (FAQ matter)

[Justin Piszcz]

On Tue, 13 Jun 2006, Matthias Andree wrote:

> Bernd Petrovitsch schrieb am 2006-06-13:
>
>> On Mon, 2006-06-12 at 23:05 -0400, Horst von Brand wrote:
>>> Bernd Petrovitsch <bernd@firmix.at> wrote:
>> [...]
>>>> Use secure authenticated mail submission on a known good MTA of said
>>>> domain (and even the smallest ISP should be able to set that up).
>>>
>>> So what? What should me make me trust some domain that I've never before
>>
>> Well, so everyone can send email through an MTA (the email accounts
>> "home MTA") covered in the SPF records.
>
> As (1) SPF this is demonstrably useless to establish trust and (2) the
> argument that SPF doesn't provide the required blacklist information
> hasn't been countered yet, it follows that
> SPF just makes life harder for everyone without real benefits in return.
>
> SPF also prefers end-to-end mailings and falls short when relays are
> used - but these are advocated by the SPF disciples.
>
> Can this SPF madness please be buried now?
>
> -- 
> Matthias Andree
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

SPF can be useful though, as a lot of Asian spam, for example says they 
are hotmail.com and they are not, SPF can reject much faster than sender 
address verification.

Re: VGER does gradual SPF activation (FAQ matter)

[Horst von Brand]

jdow <jdow@earthlink.net> wrote:
> From: "Horst von Brand" <vonbrand@inf.utfsm.cl>
> > jdow <jdow@earthlink.net> wrote:

> > [...]

> >> Greylist those who have not subscribed.
> > That is not easy to do.

> Somebody needs to write the code to make it easy to do for a list
> server. It should not be hard to do.

Great! Show us how. I'd be delighted to use it here.

> >>                                         Let their email server try
> >> again in 30 minutes. For those who are not subscribed it should not
> >> matter if their message is delayed 30 minutes. And so far spammers
> >> never try again.

> > Wrong. Greylisting does stop an immense amount of spam here, but a
> > lot comes through.

> So if it's not perfect it's not worth doing at all, eh?

Didn't say that. Spammers /are/ finding ways to fool greylisting, that is
all.

>                                                         Yet you think
> SPF, which is FAR less suited as a spam preventative, is a single
> point solution.

I don't know where you got the idea I consider SPF a "single point
solution". FYI, here we use greylisting, spamassassin, ClamAV (much junk is
malware), and blacklists (both local ones and via DNS). We analyzed SPF and
rejected it a while ago as unfixably broken. No "single point solution" in
sight, sadly.

>                 Double think was supposed to have come and gone in
> 1984, I thought.

Double think is alive and well, thank you very much.
-- 
Dr. Horst H. von Brand                   User #22616 counter.li.org
Departamento de Informatica                     Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria              +56 32 654239
Casilla 110-V, Valparaiso, Chile                Fax:  +56 32 797513

Re: VGER does gradual SPF activation (FAQ matter)

[Athanasius]

[-- Attachment #1: Type: text/plain, Size: 814 bytes --]

David Miller wrote:
>To be honest I'm all for some kind of bayesian filter at vger as long
>as the rejected postings go somewhere into a folder I can scan every
>couple of days looking for false positives.

  For what it's worth, there's an awful lot of spam that makes it past
vger's filters to me that also then goes on to not get caught by my
(very well trained) bogofilter.  In other words, I'm not sure how much
this would add.

  Of course if it's instead of some of the current vger filtering it
will almost certainly be worthwhile.

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: VGER does gradual SPF activation (FAQ matter)

[David Woodhouse]

On Tue, 2006-06-13 at 09:28 -0400, Horst von Brand wrote
> > >> Greylist those who have not subscribed.
> > > That is not easy to do.
> 
> > Somebody needs to write the code to make it easy to do for a list
> > server. It should not be hard to do.
> 
> Great! Show us how. I'd be delighted to use it here. 

For me, it would be three lines of extra code in my Exim configuration
and a cron job to extract the subscriber lists into a text file which
Exim can read -- and the latter is just because I haven't bothered to
check whether Exim could read the mailman database directly.

Once I ditch mailman and switch to something like exilist, Exim _will_
be able to get at those lists directly, so it'll be even simpler.

Given a config like my existing one at http://david.woodhou.se/eximconf/
all you have to do to trigger greylisting for a particular 'offence' is
to add to the $acl_m0 variable when your check for it is triggered.

Whenever that variable is non-empty, the mail is considered for
greylisting by the snippet of ACL code which I've put in its own file at
http://david.woodhou.se/eximconf/include/acl-greylist and which gets
called from the post-DATA ACL after the SpamAssassin stuff (which also
triggers greylisting, at low scores).

(Hm, I _really_ should pull my finger out and switch from my original
hackish implementation to the sqlite version which Jeff sent me --
acl-greylist-sqlite in the same directory.)

All I'd need would be a cron job which sticks a file for each list
somewhere, say /foo/bar/subscribers/, with the filename being the full
(user@domain) name of the list, and the file being just a plain text
list of addresses, one per line.

Then I'd add three lines to the Exim configuration, in the RCPT ACL:

warn recipients = dsearch;/foo/bar/subscribers
     !senders = lsearch;/foo/bar/subscribers/$local_part@$domain
     set acl_m0 = Post to $local_part list by non-subscriber.

Entirely untested... but certainly not particularly hard.

-- 
dwmw2

Re: VGER does gradual SPF activation (FAQ matter)

[Joel Jaeggli]

Phil Oester wrote:
> On Tue, Jun 13, 2006 at 12:06:52AM +0200, Jesper Juhl wrote:
>> Making subscription to LKML a requirement would be a major barier for
>> people who just want to shoot off a bug report or similar but who do
>> not want to be subscribed (nor can be botherd to go through the
>> motions to subscribe, or perhaps can't work out how to subscribe)...
>> We want users to be able to submit bugreports to the list easily.
> 
> The rejection sent to non-subscribers could point them to a website
> where they could submit a message via a webform (after correctly
> entering the contents of a CAPTCHA).  

Some of us refuse to participate in turing tests.

CAPTCHA's also have serious accessibility issues.


> Phil
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/


-- 
-------------------------------------------------
Joel Jaeggli (joelja@uoregon.edu)
GPG Key Fingerprint:
5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2

Re: VGER does gradual SPF activation (FAQ matter)

[Marc Perkel]

Here's a cheap trick that I use to get rid of a lot of spam. What I do 
is set my highest MX record to a nonworking IP address. Spammers often 
start at the highest MX rather than the lowest figuring the highest has 
less spam filtering. And the spammers never retry. IO get rid of about 
120,000 spams a day with this trick.

Re: VGER does gradual SPF activation (FAQ matter)

[Auke Kok]

Marc Perkel wrote:
> Here's a cheap trick that I use to get rid of a lot of spam. What I do 
> is set my highest MX record to a nonworking IP address. Spammers often 
> start at the highest MX rather than the lowest figuring the highest has 
> less spam filtering. And the spammers never retry. IO get rid of about 
> 120,000 spams a day with this trick.

and this will also get you blacklisted - it is not allowed to have non-working 
or bogus MX records. See http://www.rfc-ignorant.org/policy-bogusmx.php

Auke

Re: VGER does gradual SPF activation (FAQ matter)

[Matti Aarnio]

On Mon, Jun 12, 2006 at 05:41:35PM +0200, Simon Oosthoek wrote:
> Hi Matti

Hello Simon,  for a change somebody who gets my name correctly :-)
(Just today I did teach a Londoner to pronounce that double-t properly,
it did sound weird...)

> Matti Aarnio wrote:
> >
> >For a very long time (like 20 years or so) I used to think like that.
> >
> >Doing email services in big ISP environments for about 10 years did
> >cure me of that thinking.  Ordinary Janes and Joes (and grannies
> >and granpas) must not be allowed to send email in similar ways that
> >we used to do in happy 1980es when the internet was engineer playground.
> 
> This is so against the spirit and meaning of the Internet, you're not 
> talking about the network we call Internet. You're talking about two 
> tiered internet, which is bad too.

Yes, I agree.  Surprisingly by calling it "security enhanced" or something,
ISPs can  _charge_more_,  and users are happy to buy it!  (I have seen this
happening in Finland.)

I have also seen compartementalisation(sp?) failures resulting from
"these customer networks can send email via those SMTP servers" - and
then a user changes access provider, but not email provider (or does
not know how to change OE configurations to match..)
There a widely adopted SMTP SUBMISSION protocol (SMTP on TCP port 587
and _requiring_ at least sender authentication before _any_ sort of
sending is allowed - preferrably under TLS) would make that subset
of users isp-change problems moot.
Also the server configuration is simple: "user did authenticate ok,
let it send that email" - no network ACLs to keep up at all.

With authentication done, ISP can even verify source address validity
on the submission, or perhaps choose not to verify..  It might again
be a positive sales argument.

Travellers would have _easy_ access to their "home postoffice" over
the network, and be able to send email authenticated no matter where
they are, and in whose network _without_need_to_find_ that local SMTP
server that lets them send their email...

Of course ISPs would need to  a)  enable the service (and do it
correctly),  b)  educate their users to use it.


And this, by the way, is something that I do think that people SHOULD
use, no matter if SPF (or its likes) ever makes it mandatory.

It will block tons of email viruses from sending themselves around,
until they learn to pick user's submission authentication data.
.. and when they do, service provider can block that USER whose
account is misused.


> >The Internet needs to be segregated into two kinds of users - those that
> >must not be allowed to do much of anything ( = common man to whom the
> >internet equals anyway to IE web-browser ) and to first-class citizens
> >with their own email servers...
> 
> Why don't you go fork the Internet then? Go see if that will work?
> 
> This whole discussion is kind of ridiculous for an open source project 
> like the linux kernel. If you're so keen on fixing e-mail, you should 
> work closely with the IETF working groups to create a new standard that 
> works.

Do read RFC 2821/2822 credits section.

I have been on this business quite a while :-)

> Finally, if you consider doing this, why not consider closing the 
> mailinglist to a subscription only list, that will work so much better 
> than this "free lunch" (to quote someone else)
> 
> Cheers
> Simon

Cheers from London,
  Matti Aarnio

Re: VGER does gradual SPF activation (FAQ matter)

[David Woodhouse]

On Tue, 2006-06-13 at 08:57 -0700, Auke Kok wrote:
> and this will also get you blacklisted - it is not allowed to have non-working 
> or bogus MX records. See http://www.rfc-ignorant.org/policy-bogusmx.php 

Just set it to an IPv6-only host; that'll have the same effect on most
of the Luddites out there without being invalid.

-- 
dwmw2

Re: VGER does gradual SPF activation (FAQ matter)

[Lennart Sorensen]

On Tue, Jun 13, 2006 at 08:54:03PM +0100, David Woodhouse wrote:
> On Tue, 2006-06-13 at 08:57 -0700, Auke Kok wrote:
> > and this will also get you blacklisted - it is not allowed to have non-working 
> > or bogus MX records. See http://www.rfc-ignorant.org/policy-bogusmx.php 
> 
> Just set it to an IPv6-only host; that'll have the same effect on most
> of the Luddites out there without being invalid.

That particular site did explictly state that they treat ipv6 only hosts
the same as invalid hosts.  So not much point doing that either, unless
you like being blacklisted.

Len Sorensen

Re: VGER does gradual SPF activation (FAQ matter)

[David Woodhouse]

On Tue, 2006-06-13 at 16:31 -0400, Lennart Sorensen wrote:
> On Tue, Jun 13, 2006 at 08:54:03PM +0100, David Woodhouse wrote:
> > On Tue, 2006-06-13 at 08:57 -0700, Auke Kok wrote:
> > > and this will also get you blacklisted - it is not allowed to have non-working 
> > > or bogus MX records. See http://www.rfc-ignorant.org/policy-bogusmx.php 
> > 
> > Just set it to an IPv6-only host; that'll have the same effect on most
> > of the Luddites out there without being invalid.
> 
> That particular site did explictly state that they treat ipv6 only hosts
> the same as invalid hosts.  So not much point doing that either, unless
> you like being blacklisted.

Oh, in that case, it can just get dumped in the pile of other
kook-blacklists and we don't need to worry about it.

Shame; I didn't realise RFC-ignorant.org was so, well, ignorant.

-- 
dwmw2

Re: VGER does gradual SPF activation (FAQ matter)

[David Woodhouse]

On Mon, 2006-06-12 at 13:37 -0400, Gerhard Mack wrote:
> 
> Innerfire.net used to be foraged as a spam sender every other month and 
> gmack@innerfire.net so often that I still have procmail filters to 
> redirect bounces to their own folder.  The thousands of messages I was 
> getting was infuriating but it has been a very rare event since I setup 
> SPF on my domain.
> 
> SPF may not filter spam much but if you set it to autofail you can reduce 
> the risk for innocent mail admins. 

There are much better ways to achieve that same effect. I don't get
_any_ faked bounces to dwmw2@infradead.org any more, and I didn't have
to disavow _valid_ forwarded mail in order to achieve that.

-- 
dwmw2

RE: VGER does gradual SPF activation (FAQ matter)

[Scott Lockwood]

So get a better ISP than cox.net. 

-----Original Message-----
From: linux-kernel-owner@vger.kernel.org
[mailto:linux-kernel-owner@vger.kernel.org] On Behalf Of Kyle Moffett
Sent: Monday, June 12, 2006 6:42 AM
To: Bernd Petrovitsch
Cc: David Schwartz; LKML Kernel; jdow
Subject: Re: VGER does gradual SPF activation (FAQ matter)

On Jun 12, 2006, at 04:18:06, Bernd Petrovitsch wrote:
> No. SPF simply defines legitimate outgoing MTAs for a given domain.

I'm sorry, but the internet just doesn't work that way.  I have 3 email
accounts (mac.com, vt.edu, and cox.net).  Both my college and my house deny
all SMTP to anyone but their local servers.  If mac.com published an SPF
filter and VGER used the SPF filter, I would have no way at all to send mail
via this account, simply for the reason that neither of my local ISPs will
allow my to directly send email to mac.com.  Likewise for my vt.edu account
while at home or my cox.net account while at college.

IMHO, turning on SPF will not gain anything for the LKML; a bayesian filter
based solution would be much more tenable.

Cheers,
Kyle Moffett

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org More majordomo info at
http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: VGER does gradual SPF activation (FAQ matter)

[Kyle Moffett]

On Jun 13, 2006, at 19:32:54, Scott Lockwood wrote:
> So get a better ISP than cox.net.

Right; I get to pick between comcast cable, cox cable, and verizon  
dsl, all of which offer that same "feature" along with port 80  
blocking and a host of other invasive features (not to mention the  
hundred ARP "Who has 1.2.3.4?" requests per second).  My college does  
the same SMTP blocking and there is no "alternate ISP" there.

Cheers,
Kyle Moffett

Re: VGER does gradual SPF activation (FAQ matter)

[Neil Brown]

On Monday June 12, mrmacman_g4@mac.com wrote:
> On Jun 12, 2006, at 04:18:06, Bernd Petrovitsch wrote:
> > No. SPF simply defines legitimate outgoing MTAs for a given domain.
> 
> I'm sorry, but the internet just doesn't work that way.  I have 3  
> email accounts (mac.com, vt.edu, and cox.net).  Both my college and  
> my house deny all SMTP to anyone but their local servers.  If mac.com  
> published an SPF filter and VGER used the SPF filter, I would have no  
> way at all to send mail via this account, simply for the reason that  
> neither of my local ISPs will allow my to directly send email to  
> mac.com.  Likewise for my vt.edu account while at home or my cox.net  
> account while at college.

But I'm sure if that happened you could find a way.
The 'best' way would be for mac.com (and everyone else) to accept mail
submission (and only authenticated mail submission) on the
'submission' port (which is an IETF standard RFC2476).
Then port-25 blocking wouldn't be a problem for you.

Now, it could be that SPF might become a standards-track RFC.  And if
it did (may not be likely, but should be seen as possible as a lot of
people are pushing despite the fact that many push back) then people
would feel justified in implementing it and you might start to find
your mail isn't getting through.

So if you want to be sure of continued access to your mac.com mail
address, I would suggest you try lobbying the mac.com admins to
support 'submission' (I notice it doesn't currently).  Then you can
start using 'submission' to submit mail.  And you can use exactly the
same mail configuration no matter what ISP you are talking through,
and you will be ready in case the crazy loons out there do manage to
convince IETF to move SPF to the standards-track.

		  Don't be held hostage by your ISP.
	   Insist on using 'submission' for mail submission.

NeilBrown

Re: VGER does gradual SPF activation (FAQ matter)

[Matthias Andree]

Neil Brown schrieb am 2006-06-14:

> But I'm sure if that happened you could find a way.

So SPF followers must try talk their way out of responsibility for the
nonsense they create(d) or advocate(d). "I'm sure you can", "Your ISP
must", "You must not" and thereabouts don't work, because...

> The 'best' way would be for mac.com (and everyone else) to accept mail
> submission (and only authenticated mail submission) on the
> 'submission' port (which is an IETF standard RFC2476).
> Then port-25 blocking wouldn't be a problem for you.

...RFC-2476 isn't a mandatory standard as in "every ISP must offer
submission service"

> Now, it could be that SPF might become a standards-track RFC.  And if
> it did (may not be likely, but should be seen as possible as a lot of
> people are pushing despite the fact that many push back) then people
> would feel justified in implementing it and you might start to find
> your mail isn't getting through.

Is anyone really thinking sabotaging technical systems is a good way to
solve social problems?

> 		  Don't be held hostage by your ISP.
> 	   Insist on using 'submission' for mail submission.

Perhaps if people stopped being so narrow-minded to think that looking
at the envelope were a good way to separate the chaff from the wheat, it
might work. Much sooner than killing accessbility and negating SPF
responsibility by trying to coerce people who live somewhere in the
outback and have no choice of ISP into changing ISP or other nonsense.

-- 
Matthias Andree

Re: VGER does gradual SPF activation (FAQ matter)

[Keith Owens]

"jdow" (on Mon, 12 Jun 2006 16:03:46 -0700) wrote:
>Greylist those who have not subscribed. Let their email server try
>again in 30 minutes. For those who are not subscribed it should not
>matter if their message is delayed 30 minutes. And so far spammers
>never try again.

Not true.  I greylist and my recent logs show a pattern of spam code
that tries 5 times at exactly 5 minute intervals, before finally giving
up.  Other spam code tries two or three times at one hour intervals.
All designed by spammers to bypass greylist systems.

Re: VGER does gradual SPF activation (FAQ matter)

[Wakko Warner]

Keith Owens wrote:
> "jdow" (on Mon, 12 Jun 2006 16:03:46 -0700) wrote:
> >Greylist those who have not subscribed. Let their email server try
> >again in 30 minutes. For those who are not subscribed it should not
> >matter if their message is delayed 30 minutes. And so far spammers
> >never try again.
> 
> Not true.  I greylist and my recent logs show a pattern of spam code
> that tries 5 times at exactly 5 minute intervals, before finally giving
> up.  Other spam code tries two or three times at one hour intervals.
> All designed by spammers to bypass greylist systems.

I have yet to setup any greylisting for any of my systems yet, but I would
greylist, and if they came back an hour later and was in blacklists, I
wouldn't allow it.  This is one thing greylisting can do for you, defer it
until they are in blacklists.

Of course all rules need to be weighed for the server they are placed on.  I
would do the above on my domain since I'm the only user, I might not on big
ISP.

I have noticed spam from zombies that were not in RBLs when it came in and 5
minutes later, they are in RBLs.

-- 
 Lab tests show that use of micro$oft causes cancer in lab animals
 Got Gas???

Re: VGER does gradual SPF activation (FAQ matter)

[Kyle Moffett]

Thinking more on this and looking for possible solutions:  One  
(voluntary) technical solution to a mildly technical problem of lack  
of authenticity would be to write a mail server (or just glue postfix  
and apache with some perl CGIs) which stored the emails locally and  
added a header like this:
> X-Hosted-Email:  http://my.mail.server/hosted-email?id=$BASE64_HASH

Then replace the body with this:
> You have received a hosted email from "John Doe"  
> <jdoe@mail.server>.  Click the link below to view the email, or  
> install a free hosted-email client from http:// 
> oss.hosted.email.project/
>
> http://my.mail.server/hosted-email?id=$BASE64_HASH

The templated message might start to get filtered by a few spam- 
filters, but it makes blacklisting of abusers much easier so such  
messages could easily be given a big +bonus in spamassassin or  
similar.  If each compliant server along the way checked that the  
host server was up and provided a compliant SMTP-over-HTTP email it  
would be a trivial load for individual hosts but a quite considerable  
load for spammers.  In addition it's possible to implement other  
checks like wait-for-http-response-before-accepting-email, content  
filters, digital signatures, and other processing steps.  Such a  
system would be very reliable and easy to implement by relying on  
existing proven technologies (SMTP and HTTP) in completely standards- 
compliant ways.  Just some food for thought.

Cheers,
Kyle Moffett