Re: [Exim] SMTP+SPF

Pàgina inicial
Delete this message
Reply to this message
Autor: David Saez
Data:  
A: James P. Roberts, exim-users
Assumpte: Re: [Exim] SMTP+SPF
Hi !!

> I read the SPF proposal, and the first question I had for implementation was,
> how to handle classless IP blocks (e.g. /29), other than the painful method of
> an entry for each IP. I imagine there is some clever way, similar to how
> delegation of such blocks is *supposed* to be done... (*small strangled noises
> suppressing off-topic rant*).


No idea, at the end you only have to publish one ip for every outgoing
smtp server you have, publishing all your ip addresses is not a good
idea.

> (1) It's optional. ;)


everything is optional ... and things that are not optional are also
considered optional by some admins. You could make SPF mandatory and
for sure that many admins will not correctly use it

> (2) It is a bit of work to implement.


have you make a checklistof thing to be done to have spf running at
your site ? how many minutes is a bit of work ? I thing I'm not wrong
if I say that it will take you less time than the time you have spent
writing this messages.

> (3) It's essentially useless until it becomes
>     globally implemented.


well, it will not hurt. Now supose that hotmail starts using it, if
you do SPF checks you will be able to detect LOTS of spams that use
hotmail forged addresses (I have a ACL that does something similar
and it catches lots of spam).

> But seriously, the real problem is convincing admins to do the extra work,


did you received anytime LOTS of bounces due to somebody using your
email address ? did you received LOTS of wirus warnings due to some
virus using your email address ? how many spam do you receive comming
from forged email addresses ? which is the cost of all of them both
in bandwith and resources ? How many time will take you to implement
SPF onyour site if you have an easy way to add support for it to
your smtp server ? It's very easy to find lots of reasons
to use SPF ...

> long before any actual value is added as a result. Sure, I could publish SPF
> data fairly easily; but, I can't *use* SPF data until almost *everyone* does.


I'm sure adoption of spf, dmp or similar solutions it's only a matter
of time, little time. Big isp's have big problems due to bounces
generated
by the use of forged addresses, so they are the first interested on
having a solution to this problem. There are also a lot of companies
who don't like the posibility that anybody could use their email
addresses to send faked email.

> It's a bit like asking people to contribute time or money to a "good cause."


It's a good cause, but it's a cause that costs little time and money
and could save you bandwith, resources, time and money. Protecting
your users it's also your work and having a way to prevent unathorized
use of their email addresses is a thing they will be pleased to have.

> You might get a fair number of participants, but you won't get everyone. You
> probably won't even get a majority.


well, maybe, but there is no way to known it without trying first.
By now you will have spf support in SpamAssassin 2.70 , this will make
things easier to admins.

--
Best regards ...

You go to heaven...God sneezes... What do you say?

----------------------------------------------------------------
   David Saez Padros                http://www.ols.es
   On-Line Services 2000 S.L.       e-mail  david@???
   Pintor Vayreda 1                 telf    +34 902 50 29 75
   08184 Palau-Solita i Plegamans   movil   +34 670 35 27 53
----------------------------------------------------------------