TMDA Re: [Gllug] New worm doing the rounds?

[Jason Clifford]

On Wed, 18 Feb 2004, will wrote:

> Well, maybe large ISP's will collectively publish wildcard, or no SPF 
> records forcing mail admins to be liberal with the way they interpret 
> the data.  Alternatively ISP's may be forced to change the way they 
> work, ie by attempting to get users to use SMTP auth, or they will only 
> allow sending from a user dialed up to their account with that ISP.

And there it is - the idea is to *force* ISPs to follow some such scheme 
even though ISPs have grave concerns that these schemes are unworkable.

> Either way, ISP's will be in the same boat and small ISP's are going to 
> be just as able to compete by deploying the same SPF compliant 
> technologies as much as larger ISPs.  For instance, if BT makes all 
> users use smtp auth, and so do you, you are no worse off.  If BT forces 
> users to dial up to send email but without auth, you can allow unauthed 
> sending from your dialup too, but you can also offer authed SMTP from 
> outside, and then you are more competitive.  Think of it as an 
> opportunity ;)

I already offer exactly that. Competitiveness is not an issue - I know I 
can provide better services and I already do across the board.

> Well, yes.  but only if the sender fails the test.  This will mean that
> if the administrator for the sender domain had an SPF policy stating
> 'hosts x and y and IP range z/24 are allowed to send email for this
> domain' and someone sent an email to me from host 'a' allegedly from a
> user at that domain then the SPF policy would have been violated and the
> mail would not get accepted.

Well that's your privilege but when you form these policies do remember 
that you may well be rejecting a lot of legitimate communication and thus 
causing harm to your own business.

> If you don't put up SPF records, or use wildcards for ukpost or ukfsn,
> the email from those domains will pass through my SPF check anyway and 
> then be spam checked along with email that passes SPF checks dues to 
> adhering to an SPF policy.

In yoru case that's true. Other less clueful people inevitably will use 
lack of SPF as a reason to reject email. We already see the clueless using 
poor RBLs and implementing other anti-spam strategies so badly that they 
reject large amounts of legitimate email.

> it for my users for the amount of spam it blocked so it went.  If my 
> users complain about not getting SPF violating email, maybe I will 
> implement spamassasin and just make SPF violation a 2 point offense, and 
> I can re-introduce non FQDN HELO as a 1.5 pointer or something ;)

I can see SPF within spamassassin as a very valuable tool because it will 
only be considered within a larger context. I fear that many of those who 
choose to implement SPF will be looking for an "easy" solution and wont 
consider this.

>  From my perspective it is a cool thing ;)  I admit that from yours it 
> might mean extra work, but I don't think it will be the end of the world.

It's not about extra work. The additional work from my end is trivial - 
it's just not going to produce an overall positive result in my view.

Jason Clifford
-- 
UKFSN.ORG		Finance Free Software while you surf the 'net
http://www.ukfsn.org/	   ADSL Broadband from just £23.75 / month 

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug