Ruleset to lock domain to IP address

[Glenn Steen]

On 26/10/06, Matt Kettler <mkettler at evi-inc.com> wrote:
> Glenn Steen wrote:
> > On 25/10/06, Pravin Rane <pravin.rane at gmail.com> wrote:
> >> Use SPF :)
> >>
>
> SPF is useless for the original poster's problem. He's worried about limiting
> the source of all mail TO a domain.
>
> SPF is useful for limiting the source of all mail that claims to be FROM a domain.

Of course. Was typing entirely too much too late in the evening
yesterday (and after a relaxing G&T to boot:-). Not much brain
activity registering on my EEGs then:-).

> > .... I'm not sure I like SPF anymore... Or rather, the same tired old
> > thing... Bad admin (decisions) defeating its purpose. Like when UBS
> > has this unmoderated and (obviously) unprotected mailing-list (open
> > for anyone to use), that is protected by SPF... Sigh.
> >
>
> What's wrong with that?
>
> Anyone who expects SPF to be a spam control measure is doomed to be
> disappointed, probably in short order. It's a forgery control technology, not a
> spam control technology. Period.
>
> As you've seen, anyone can create a giant "SPF hole", either by SPFing a
> unmoderated list, or by just creating a SPF record that passes everything. But
> that's OK. This doesn't break SPF the purpose of SPF.

Exactly. And as I said, it's not really SPF I don't like, but the
"bad" admin (who has been notified about the problem... Not answering
mails to postmaster... Sigh. For everything else, they run a very tidy
shop, so .... this just nettles me:).

> The purpose of SPF isn't to identify "good" messages, it's just to rule some of
> them as "definitely bad" (ie: forged).

Yep. And for that it is very good indeed.

> In the general case, there's nothing about passing SPF that tells you anything
> useful you can act on. ie: you can't consider a message that passed SPF to be
> nonspam, or even less likely to be spam, and you should treat it the same as any
> other message.
>
> Only failing SPF is useful enough to act on. At that point you know the owner of
> the domain believes this message is forged and not properly sent by an
> authorized host for his domain.

Yep. Still with you.

> So really when interpreting SPF by itself, you should treat "pass" more-or-less
> the same as "no record at all". (And this is why SA handles it as such. -0.001
> for SPF_PASS is little different from 0 for no record)

As is precisely what I do, mostly;).

> Now, if you truly trust a particular domain, then you can trust their SPF. So
> for these cases, you can do things like use SA's whitelist_from_spf on them. But
> you'd never be able to do this in any kind of general sense. Any spammer could
> exploit it by creating a "pass all" SPF record.

The difference between UBS and Lehman, in a nutshell:-D.
With the latter (and some other big financial players like MSCI) I
have to use *something* to bring their score averages down, and it has
so far been diverse def_white* things (I'm sure there are better ways
to do this, but these suit me ATM:-), mostly because some of their
senders use "spammy techniques". UBS on the other hand don't really
need that (they play by the book), so... That "SPF hole" is kind of
standing out, for them. Ah well.

Thanks once more for a very eloquent summary of how things really are.
Where I was yesterday (after battling a bl**dy SSL gateway entirely
too long... No, not SSL-Explorer...) I couldn't even put my name
together reliably:-).

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se