[Sussex] spam filtering

Vic lug at beer.org.uk
Sat Aug 19 13:58:49 UTC 2006


>> Possibly.
>
> But in reality not.

Well, it works for me.

> But what about dial up and others on a randomly changing IP address?

What about them?

> If
> your IP address isn't fixed then how are the domain owner's going to
> allow the IP address I happen to be on at this moment as a ligitimate
> sender or my email address?

They almost certainly will not. Very few people currently consider
direct-to-MX from a dynamic IP as a legitimate way to send email. I count
myself among that number.

> Most well configured e-mail system will
> reject e-mail connections that come from systems that are not known to
> the Net databases are really e-mail server.

Eh?

There are some blocklists, but most MTAs really just look for certain
signs of legitimacy. Some (but not that many - yet) require absence from
things like NJABL, but most will just accept mail from anything with a
rDNS.

> Now when I was on dial up all my outgoing e-mail when to my ISP's email
> servers.

As it should.

> So is the owner of dobson.org going to configure my ISP's
> e-mail servers as one allowed to send my e-mails?

If dobson.org wanted to permit sending from your ISP's MTAs, then it would
need to include some reference to those MTAs in the SPF record. That would
probably take the form "?include:some_big_isp.com" to prevent cross-user
forgery.

> This is only done at
> domian level - so as any big e-mail portal like NetIdentity, GMail or
> HotMail would have to allow _all_ ISPs to route their domains as they
> are bound to have at least one customer with every ISP.

It's nothing to do with routing.

What most mail providers do is to provide an SMTP-AUTH service. That way,
the end-user sends mail to the MSA, which is then sent on from the known
(and SPF-declared) MTAs.

Certain organisations wish to allow any MTA to send on their behalf -
that's their choice. This is easily reflected in a SPF record, but really
doesn't afford much protection from forgery. So those domains will keep
being forged.

Note that, of the three domains you mentioned above, only NetIdentity take
this approach. Both Hotmail and Gmail publish SPF records.

> SPF's only work for some e-mail configurations, not all.

SPF can work for any configuration. It just happens that some domains
*choose* not to protect themselves against forgery. That's their right,
and they must accept the consequences.

Vic.





More information about the Sussex mailing list