From: "jdow" <jdow@earthlink.net>
To: "Neil Brown" <neilb@suse.de>, "David Woodhouse" <dwmw2@infradead.org>
Cc: "Matti Aarnio" <matti.aarnio@zmailer.org>,
<linux-kernel@vger.kernel.org>
Subject: Re: VGER does gradual SPF activation (FAQ matter)
Date: Sat, 10 Jun 2006 22:26:19 -0700 [thread overview]
Message-ID: <193f01c68d17$92570ae0$0225a8c0@Wednesday> (raw)
In-Reply-To: 17547.42403.669502.694618@cse.unsw.edu.au
From: "Neil Brown" <neilb@suse.de>
> On Sunday June 11, dwmw2@infradead.org wrote:
>> On Sun, 2006-06-11 at 01:27 +0300, Matti Aarnio wrote:
>> > Now that there is even an RFC published about SPF...
>>
>> Please, don't do this. SPF makes assumptions about email which are just
>> not true; it rejects perfectly valid mail.
>>
>> http://david.woodhou.se/why-not-spf.html
>
> Conversely, please do do this :-)
>
> I agree with David that SPF breaks mail-as-we-know-it, but I cannot
> help thinking that mail-as-we-know-it is way too permissive and bits
> of it need to be broken (the old egg/omelette analogy).
>
> And I think that kernel.org is a great place to start with pushing
> SPF, because if a few mail items go astray to-or-from it really isn't
> the end of the world.
>
> - kernel.org should publish very strict SPF records that sites with
> any gumption can reject forged mail claiming to be from kernel.org.
> If systems drop mail incorrectly because of this, the end-recipient
> can follow linux-kernel any number of other ways, and can badger
> their local admins to "get it right".
Sir, I've been doing this for years already using primary source
information - the trackable message headers. So far forgeries are
not a problem. It becomes quite obvious when a message has forged
headers, obvious enough automated analysis works remarkably well.
> - kernel.org should reject mail that earns an SPF 'fail' and should
> grey-list mail that earns an SPF 'softfail' (so the sending system
> will have to retry once). Any mail that incorrectly gets rejected
> will hopefully have a link to a web page that explains the problem
> and lists a number of free-mail sites where anyone can sign up and
> safely send mail to kernel.org. So people who need to get mail
> through still can, while they complain to their admins about
> configuring things properly.
No sir. FAIL and SOFT_FAIL prove nothing. PASS proves remarkably
little. SPF is not a good criterion for much of anything.
> I think kernel.org is a great site to be an early adopter because:
> - the mail it transports isn't critical
> - it interacts with a very large number of mail sites
> - it's customers are reasonably technology-savvy.
It would be a good site to adopt it outgoing. But adopting it as an
incoming message filter is silly.
> sourceforge would be another good site.
>
>
> (No, SPF doesn't stop spam, but it can increase accountability so that
> white/black lists can begin to be more usable).
It does not even do that conclusively. Many of us wish it did. But if
a spammer can post his own spf records he can claim what he wants
about email sources. DNS cache poisoning attacks assure that this can
take place even for sites you might control.
{^_^} Joanne Dow said that. Seriously, I recommend a pass through the
old SpamAssassin users mailing list for past discussions. An
SPF_HELO_SOFTFAIL is the only thing given a sizeable score.
next prev parent reply other threads:[~2006-06-11 5:26 UTC|newest]
Thread overview: 101+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-10 22:27 VGER does gradual SPF activation (FAQ matter) Matti Aarnio
2006-06-10 23:06 ` David Woodhouse
2006-06-11 0:16 ` Rik van Riel
2006-06-11 0:44 ` David Woodhouse
2006-06-11 13:02 ` Theodore Tso
2006-06-11 13:55 ` Rik van Riel
2006-06-11 14:03 ` Avi Kivity
2006-06-12 8:47 ` Matthias Andree
2006-06-12 10:17 ` Neil Brown
2006-06-12 10:35 ` David Woodhouse
2006-06-12 11:07 ` Matthias Andree
2006-06-11 2:24 ` marty fouts
2006-06-11 2:41 ` jdow
2006-06-11 2:58 ` David Schwartz
2006-06-11 5:17 ` jdow
2006-06-12 8:18 ` Bernd Petrovitsch
2006-06-12 8:23 ` jdow
2006-06-12 8:31 ` Bernd Petrovitsch
2006-06-12 9:47 ` Neil Brown
2006-06-12 10:30 ` Alan Cox
2006-06-12 10:33 ` Neil Brown
2006-06-12 17:37 ` Gerhard Mack
2006-06-12 18:14 ` Krzysztof Halasa
2006-06-12 18:46 ` jdow
2006-06-12 19:16 ` Krzysztof Halasa
2006-06-12 21:51 ` Bernd Petrovitsch
2006-06-13 21:12 ` David Woodhouse
2006-06-12 9:53 ` Alan Cox
2006-06-12 10:01 ` Bernd Petrovitsch
2006-06-12 11:14 ` Matthias Andree
2006-06-12 10:58 ` Neil Brown
2006-06-12 11:22 ` Matthias Andree
2006-06-12 11:42 ` Kyle Moffett
2006-06-13 23:32 ` Scott Lockwood
2006-06-13 23:42 ` Kyle Moffett
2006-06-14 0:02 ` Neil Brown
2006-06-14 10:20 ` Matthias Andree
2006-06-16 3:53 ` Kyle Moffett
2006-06-12 8:27 ` Bernd Petrovitsch
2006-06-12 20:25 ` Horst von Brand
2006-06-12 21:10 ` Nick Warne
2006-06-12 22:06 ` Jesper Juhl
2006-06-12 22:12 ` Randy.Dunlap
2006-06-12 23:03 ` jdow
2006-06-13 3:00 ` Horst von Brand
2006-06-13 5:54 ` jdow
2006-06-13 8:36 ` Bernd Petrovitsch
2006-06-13 9:58 ` Marc Perkel
2006-06-13 13:28 ` Horst von Brand
2006-06-13 14:34 ` David Woodhouse
2006-06-13 9:05 ` David Woodhouse
2006-06-13 10:45 ` Matthias Andree
2006-06-13 12:24 ` David Woodhouse
2006-06-13 12:49 ` Matthias Andree
2006-06-13 13:10 ` David Woodhouse
2006-06-13 15:19 ` Marc Perkel
2006-06-13 15:57 ` Auke Kok
2006-06-13 19:54 ` David Woodhouse
2006-06-13 20:31 ` Lennart Sorensen
2006-06-13 20:48 ` David Woodhouse
2006-06-15 17:05 ` Keith Owens
2006-06-15 23:14 ` Wakko Warner
2006-06-13 0:11 ` Phil Oester
2006-06-13 0:26 ` David Miller
2006-06-13 4:18 ` Willy Tarreau
2006-06-13 15:17 ` Joel Jaeggli
2006-06-12 21:43 ` Bernd Petrovitsch
2006-06-13 3:05 ` Horst von Brand
2006-06-13 8:31 ` Bernd Petrovitsch
2006-06-13 10:50 ` Matthias Andree
2006-06-13 13:15 ` Justin Piszcz
2006-06-11 5:09 ` Neil Brown
2006-06-11 5:26 ` jdow [this message]
2006-06-11 6:12 ` Willy Tarreau
2006-06-11 16:02 ` Folkert van Heusden
2006-06-11 17:54 ` Lee Revell
2006-06-11 18:54 ` David Miller
2006-06-12 9:09 ` Matthias Andree
2006-06-12 11:32 ` Nikita Danilov
2006-06-12 14:52 ` Jeff Garzik
2006-06-12 20:00 ` David Miller
2006-06-12 22:29 ` Jesper Juhl
2006-06-12 22:48 ` David Miller
2006-06-12 22:57 ` Jesper Juhl
2006-06-13 3:54 ` VGER does gradual SPF activation (FAQ matter) - Alternative Marc Perkel
2006-06-13 4:51 ` David Miller
2006-06-13 13:41 ` VGER does gradual SPF activation (FAQ matter) Athanasius
2006-06-11 17:31 ` Marc Perkel
2006-06-11 18:50 ` Florian Weimer
[not found] ` <20060611072223.GA16150@flint.arm.linux.org.uk>
2006-06-12 8:32 ` Matti Aarnio
2006-06-12 8:40 ` Russell King
2006-06-12 9:57 ` Neil Brown
2006-06-12 15:55 ` Russell King
2006-06-12 20:06 ` Zwane Mwaikambo
2006-06-12 11:22 ` David Woodhouse
2006-06-12 15:41 ` Simon Oosthoek
2006-06-12 22:55 ` Matthias Andree
2006-06-13 17:41 ` Matti Aarnio
2006-06-12 9:05 ` Matthias Andree
2006-06-12 17:28 ` Matthew Frost
2006-06-13 0:12 ` David Woodhouse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='193f01c68d17$92570ae0$0225a8c0@Wednesday' \
--to=jdow@earthlink.net \
--cc=dwmw2@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=matti.aarnio@zmailer.org \
--cc=neilb@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox