Thread: SPF Record ...

SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I'm thinking of adding one to DNS, but after reading up on it, I'm a bit
concerned how this might affect some ... specifically, from reading on
openspf.org, anyone that is doing email from their desktop, through their ISP,
instead of using SMTP AUTH to the server itself, may be affected by this ...

I'm not planning on adding SPF to Postfix itself, only to DNS, at this time, so
it won't affect incoming, just outgoing ...

Since those having @postgresql.org accounts shoudl be limited to these two
lists, can anyone comment on a) is this a bad idea? and b) would they be
affected because they don't use SMTP AUTH and c) why aren't you using SMTP
AUTH? ...

Thx ...

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFXVE64QvfyHIvDvMRAntYAJ9bYnHTqo+1/v0Y2kdG+tB0ZFIL3wCgqZ6k
E2OesE87aAIEVfdsCLulQtk=
=Twi9
-----END PGP SIGNATURE-----


Re: [CORE] SPF Record ...

From
Josh Berkus
Date:
Marc,

> Since those having @postgresql.org accounts shoudl be limited to these two
> lists, can anyone comment on a) is this a bad idea? and b) would they be
> affected because they don't use SMTP AUTH and c) why aren't you using SMTP
> AUTH? ...

I send SMTP from literally dozens of different IP addresses through
josh@postgreSQL.org due to having my laptop on wireless with me wherever I
go.  How will this work?

Can you set an SPF record for AuthSMTP as well?
http://www.authsmtp.com/faqs/faq-65.html

--
Josh Berkus
PostgreSQL @ Sun
San Francisco

Re: [CORE] SPF Record ...

From
Tom Lane
Date:
"Marc G. Fournier" <scrappy@postgresql.org> writes:
> I'm thinking of adding one to DNS, but after reading up on it, I'm a bit
> concerned how this might affect some ...

I'd recommend it.  I've had one on sss.pgh.pa.us for a year or two now
and have seen no serious ill effects.  I don't currently use SPF for
incoming filtering either, but it makes a good basis for disavowing
forgeries-in-my-name, of which there are all too many :-(

> Since those having @postgresql.org accounts shoudl be limited to these two
> lists, can anyone comment on a) is this a bad idea? and b) would they be
> affected because they don't use SMTP AUTH and c) why aren't you using SMTP
> AUTH? ...

Hmm.  What it would mean is that anyone sending mail with a
"From: soandso@postgresql.org" line would have to be sure it went out
through the postgresql.org servers, else it might get bounced.  The
question is, would anyone who has a legitimate claim to such a From:
address be inconvenienced to the point of vetoing this?  If so why?

+1 on the idea, but am willing to listen to objections...

            regards, tom lane

Re: [CORE] SPF Record ...

From
Josh Berkus
Date:
Marc,

> > Since those having @postgresql.org accounts shoudl be limited to these
> > two lists, can anyone comment on a) is this a bad idea? and b) would they
> > be affected because they don't use SMTP AUTH and c) why aren't you using
> > SMTP AUTH? ...
>
> I send SMTP from literally dozens of different IP addresses through
> josh@postgreSQL.org due to having my laptop on wireless with me wherever I
> go.  How will this work?

Or more to the point: I don't understand what SMTP AUTH is.   Googling for a
definition leaves me unenlightened.  Can some one explain how it works?

--
Josh Berkus
PostgreSQL @ Sun
San Francisco

Re: [CORE] SPF Record ...

From
Josh Berkus
Date:
Tom,

> Not an issue, I think.  The point here is that if you send an email that
> claims to be "From: josh@postgreSQL.org", it'll have to actually go
> through the postgresql.org servers, else SPF-aware recipients might
> think it forged.  If you are trying to send it *directly* to the
> recipients you might have a problem, but that seems like a pretty crummy
> mail setup for a wireless laptop anyway.

Ah, ok, not an issue then.  Except that Marc would need to set up an SPF rule
for AuthSMTP, which I often have to use on the road.  But that's easy enough.

However, you should give me time to contact all of the Regional Contacts and
warn them.

ON SECOND THOUGHT, can we please *not* do this 2 weeks before a release?  I'm
just having horrible thoughts of all of the Regional Contacts being locked
out of their e-mail ... perhaps we could do it in late December?

--
Josh Berkus
PostgreSQL @ Sun
San Francisco

Re: [CORE] SPF Record ...

From
Tom Lane
Date:
Josh Berkus <josh@agliodbs.com> writes:
> ON SECOND THOUGHT, can we please *not* do this 2 weeks before a release?

That's a fair point.  Let's plan to do this late December, or January?

            regards, tom lane

Re: [CORE] SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Thursday, November 16, 2006 22:15:07 -0800 Josh Berkus
<josh@agliodbs.com>
wrote:

> Marc,
>
>> Since those having @postgresql.org accounts shoudl be limited to these two
>> lists, can anyone comment on a) is this a bad idea? and b) would they be
>> affected because they don't use SMTP AUTH and c) why aren't you using SMTP
>> AUTH? ...
>
> I send SMTP from literally dozens of different IP addresses through
> josh@postgreSQL.org due to having my laptop on wireless with me wherever I
> go.  How will this work?

How are you sending it?  I thought you had your SMTP Server settings set to
mail.postgresql.org and were sending it through there ... no?

> Can you set an SPF record for AuthSMTP as well?
> http://www.authsmtp.com/faqs/faq-65.html

I can add it ... but is anyone using it?  And, if so ... why when you could do
it for free now?


- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFXWFr4QvfyHIvDvMRAs5FAKDdGw/IXJ9z3YVCtyy0xVJg66n46ACeIj4J
LdwyRWW6/SsaGttUHWNaqqk=
=JPXT
-----END PGP SIGNATURE-----


Re: [CORE] SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Thursday, November 16, 2006 22:21:45 -0800 Josh Berkus
<josh@agliodbs.com>
wrote:

> Marc,
>
>> > Since those having @postgresql.org accounts shoudl be limited to these
>> > two lists, can anyone comment on a) is this a bad idea? and b) would they
>> > be affected because they don't use SMTP AUTH and c) why aren't you using
>> > SMTP AUTH? ...
>>
>> I send SMTP from literally dozens of different IP addresses through
>> josh@postgreSQL.org due to having my laptop on wireless with me wherever I
>> go.  How will this work?
>
> Or more to the point: I don't understand what SMTP AUTH is.   Googling for a
> definition leaves me unenlightened.  Can some one explain how it works?

All our mail servers (@hub.org) are closed relays ...  you can't send email
through them *unless* you use SMTP AUTH to authenticate yourself as being a
legit user ...

I don't know what mail reader you are using, and they call it differently on
each, but when you setup your SMTP Server for josh@postgresql.org account
settings, there should be a check box for 'SMTP AUTH' or 'Require
Authentication for SMTP' or something like that ...

Then, when you connect to mail.postgresql.org to *send* an email, the first
thing it will do is use your josh@postgresql.org / passwd to authenticate you
as a valid user to relay through the server and allow you to send ...

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFXWIa4QvfyHIvDvMRAt6qAKDWYsKmOk9j0qLJejz78ofVNVUNOgCeIsiJ
jiUToMKjkSSiVJcX8bconWE=
=SYJJ
-----END PGP SIGNATURE-----


Re: [CORE] SPF Record ...

From
Josh Berkus
Date:
Marc,

> > Can you set an SPF record for AuthSMTP as well?
> > http://www.authsmtp.com/faqs/faq-65.html
>
> I can add it ... but is anyone using it?  And, if so ... why when you could
> do it for free now?

I am.   Because a lot of hotels and free wireless sites block port 25.

--
Josh Berkus
PostgreSQL @ Sun
San Francisco

Re: [CORE] SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Thursday, November 16, 2006 22:39:22 -0800 Josh Berkus
<josh@agliodbs.com>
wrote:

> However, you should give me time to contact all of the Regional Contacts and
> warn them.
>
> ON SECOND THOUGHT, can we please *not* do this 2 weeks before a release?  I'm
> just having horrible thoughts of all of the Regional Contacts being locked
> out of their e-mail ... perhaps we could do it in late December?\

Not a problem ... I can also set it so that there are various levels of
'checks' ... for instance, all I'm using right now is ?all, which is a softfail
vs an absolute one ... apparently this lets the email through to something like
Spamassassin, who can then use it for scoring purposes (if I understand it
correctly) ...

neutral: The SPF record specifies explicitly that nothing can be said about
         validity
softfail: The SPF record has designated the host as NOT being allowed to send
but
          is in transition
fail: The SPF record has designated the host as NOT being allowed to send

Now, personally, I'm not 100% certain what use 'neutral' is, but, again, if I'm
reading things right ...

If I do something like:

a mx ?all

what it says is that all email that comes either from the IP of
mail.postgresql.org, or its listed MX servers will pass, no questions asked ...
?all will pass, but in such a way that something like spamassassin scores
differently then if it did come from 'a / mx' ...

As I said at the top though, I'm not in a big rush, just want to do it as it
should help, as Tom mentions, keep the spam down somewhat ...

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFXWQ74QvfyHIvDvMRAmTmAKDaigMCKxmMiBXVqYcmniN9sheDMACcCiK+
K0NahFV1SIQcv9TTo53mHyk=
=spsM
-----END PGP SIGNATURE-----


Re: [CORE] SPF Record ...

From
Devrim GUNDUZ
Date:
Hi Josh,

On Thu, 2006-11-16 at 22:21 -0800, Josh Berkus wrote:
> > I send SMTP from literally dozens of different IP addresses through
> > josh@postgreSQL.org due to having my laptop on wireless with me
> wherever I
> > go.  How will this work?
>
> Or more to the point: I don't understand what SMTP AUTH is.   Googling
> for a definition leaves me unenlightened.  Can some one explain how it
> works?

http://en.wikipedia.org/wiki/SMTP-AUTH

You login to the server via a valid user/pass; and it lets you relay
through that server. It is useful it you are travelling and/or using
different networks during the day.

Cheers,
--
The PostgreSQL Company - Command Prompt, Inc. 1.503.667.4564
PostgreSQL Replication, Consulting, Custom Development, 24x7 support
Managed Services, Shared and Dedicated Hosting
Co-Authors: plPHP, plPerlNG - http://www.commandprompt.com/





Attachment

Re: [CORE] SPF Record ...

From
Tom Lane
Date:
Josh Berkus <josh@agliodbs.com> writes:
> I send SMTP from literally dozens of different IP addresses through
> josh@postgreSQL.org due to having my laptop on wireless with me wherever I
> go.  How will this work?

Not an issue, I think.  The point here is that if you send an email that
claims to be "From: josh@postgreSQL.org", it'll have to actually go
through the postgresql.org servers, else SPF-aware recipients might
think it forged.  If you are trying to send it *directly* to the
recipients you might have a problem, but that seems like a pretty crummy
mail setup for a wireless laptop anyway.

            regards, tom lane

Re: [CORE] SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Thursday, November 16, 2006 23:26:22 -0800 Josh Berkus <josh@agliodbs.com>
wrote:

> Marc,
>
>> > Can you set an SPF record for AuthSMTP as well?
>> > http://www.authsmtp.com/faqs/faq-65.html
>>
>> I can add it ... but is anyone using it?  And, if so ... why when you could
>> do it for free now?
>
> I am.   Because a lot of hotels and free wireless sites block port 25.

Damn, I thought we had set that up for you awhile back ... port 26 on
mail.postgresql.org will accept external smtp connections as well as port 25,
to get around this ... we have a fair # of clients whose cable ISPs do the same
thing :(

# telnet mail.postgresql.org 26
Trying 200.46.204.71...
Connected to mail.postgresql.org.
Escape character is '^]'.
220 postgresql.org ESMTP Postfix

Its there if you want to use it ...

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFXWXU4QvfyHIvDvMRAmS/AJ9NWowQzEUe7nGUiWx07VPOlEpvoACeJbdo
y8VOUN/+VNrg+83gEj2JXuE=
=ZMVR
-----END PGP SIGNATURE-----


Re: [CORE] SPF Record ...

From
"Magnus Hagander"
Date:
> >> > Can you set an SPF record for AuthSMTP as well?
> >> > http://www.authsmtp.com/faqs/faq-65.html
> >>
> >> I can add it ... but is anyone using it?  And, if so ...
> why when you
> >> could do it for free now?
> >
> > I am.   Because a lot of hotels and free wireless sites
> block port 25.
>
> Damn, I thought we had set that up for you awhile back ...
> port 26 on mail.postgresql.org will accept external smtp
> connections as well as port 25, to get around this ... we
> have a fair # of clients whose cable ISPs do the same thing :(

Just so you know, you're supposed to use port 587 (see http://www.ietf.org/rfc/rfc2476.txt) for SMTP submission, not
26...

//Magnus

Re: [CORE] SPF Record ...

From
Josh Berkus
Date:
Marc,

> Damn, I thought we had set that up for you awhile back ... port 26 on
> mail.postgresql.org will accept external smtp connections as well as port
> 25, to get around this ... we have a fair # of clients whose cable ISPs do
> the same thing :(

Yes, you tried, but the Mariott I was staying at blocked 26 as well.  Anyway,
AuthSMTP is paid for and is reasonably secure.

--
Josh Berkus
PostgreSQL @ Sun
San Francisco

Re: [CORE] SPF Record ...

From
Dave Page
Date:
Marc G. Fournier wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> a) is this a bad idea?

Maybe - see below...

> b) would they be affected because they don't use SMTP AUTH

I use SMTP AUTH + TLS through my own server to avoid having plain text
passwords on the wire, and because when I'm sending large emails (ie.
pgAdmin test builds) it is a heck of a lot quicker than sending to a
server on the other side of the planet which can often be slow at the
times I send messages (ie. when you're doing backups).

For similar reasons I don't IMAP directly to your servers - it's just
too slow. I forward to mine and IMAPS to there.

and c) why aren't you using SMTP
> AUTH? ...

See above.

Please don't add SPF for postgresql.org - unless you're willing to add a
record for developer.pgadmin.org as well.

Regards, Dave.

Re: SPF Record ...

From
Peter Eisentraut
Date:
Am Freitag, 17. November 2006 07:05 schrieb Marc G. Fournier:
> I'm thinking of adding one to DNS, but after reading up on it, I'm a bit
> concerned how this might affect some

I urge you in the strongest possible terms not to do that.  As someone who is
professionally involved in that issue, I can tell you that SPF is both
useless and dangerous.  It doesn't stop any spam, but it breaks email
protocols, annoys and restricts users for no gain.

> Since those having @postgresql.org accounts shoudl be limited to these two
> lists, can anyone comment on a) is this a bad idea? and b) would they be
> affected because they don't use SMTP AUTH and c) why aren't you using SMTP
> AUTH? ...

The fallacy is that proponents of SPF believe that users are free to choose
their SMTP server.  Contrast that with the widely spread and generally
welcome (among ISPs and government) practice of blocking outgoing TCP port 25
to address the spam-via-zombies problem (compared against SPF, this practice
at least works), you are then left with a situation in which some users
cannot send any email at all anymore because their ISP wants email to go this
way and the domain administrator wants it to go that way.  Ultimately, both
of these measures seriously restrict the redundancy feature of the internet
(what if your mail server is broken?) and impact the privacy and
self-determination of users (what if I don't want ISP 1 or ISP 2 to count my
email?).

But again, SPF doesn't stop any junk mail, so it's useless anyway.

--
Peter Eisentraut
http://developer.postgresql.org/~petere/

Re: SPF Record ...

From
"Magnus Hagander"
Date:
> > Since those having @postgresql.org accounts shoudl be
> limited to these
> > two lists, can anyone comment on a) is this a bad idea? and
> b) would
> > they be affected because they don't use SMTP AUTH and c) why aren't
> > you using SMTP AUTH? ...
>
> The fallacy is that proponents of SPF believe that users are
> free to choose their SMTP server.  Contrast that with the
> widely spread and generally welcome (among ISPs and
> government) practice of blocking outgoing TCP port 25 to
> address the spam-via-zombies problem (compared against SPF,
> this practice at least works), you are then left with a
> situation in which some users cannot send any email at all
> anymore because their ISP wants email to go this way and the
> domain administrator wants it to go that way.  Ultimately,
> both of these measures seriously restrict the redundancy
> feature of the internet (what if your mail server is broken?)
> and impact the privacy and self-determination of users (what
> if I don't want ISP 1 or ISP 2 to count my email?).
>
> But again, SPF doesn't stop any junk mail, so it's useless anyway.

That's a bit harsh, really. There are a lot of environments where
publishing SPF records are *not* harmful, and are *not* restricting the
user. For example, any organisation that doesn't use SMTP for mail
submission. I have 18,000 users that only everb submit email using RPC
or http. We also permit SMTP with authentication over TLS on 587 for
those few (I think there are 4 or 5 people out of the 18,000) that use
IMAP/s. Publishing SPF records for this organisation was a big win, and
it has noticably cut down the spam complaints we've received when
spammers have forged from addresses from our domains.

Another good example if this is any of the big webmail services. Hotmail
users, for example, don't get to do SMTP, so why should you accept a
message from a hotmail user that hasn't been verified as a hotmail user?

As for redundancy - if you have only one mailserver, then yes, it will
limit you. But really, does *anybody* have just one mailserver these
days? And naturally a backup relayer that runs on a different ISP.

That said, I'm not asying that it's right for postgresql.org, given that
it has the type of usage pattern that it does with a lot of
"organizationally unrelated" users that all use SMTP for submission. Use
the right tool for the job, as always...

//Magnus

Re: SPF Record ...

From
Peter Eisentraut
Date:
Am Freitag, 17. November 2006 10:34 schrieb Magnus Hagander:
> Publishing SPF records for this organisation was a big win, and
> it has noticably cut down the spam complaints we've received when
> spammers have forged from addresses from our domains.

This is really the only thing that SPF accomplishes: It cuts down on a
particular domain/ISP being used for fake email addresses in spam.  But a
spammer can programmatically pick some other domain that does not publish SPF
records.  But note that SPF evaluates the *envelope* of the email, so this
does not really help the trustworthyness of the sender addresses perceived by
the user, and so it doesn't help phishing either.  So in the end, SPF
achieves merely a convenience for the postmaster of the ISP while providing
at best equal but usually worse service for the users.

> Another good example if this is any of the big webmail services. Hotmail
> users, for example, don't get to do SMTP, so why should you accept a
> message from a hotmail user that hasn't been verified as a hotmail user?

SPF checks the envelope sender address.  That is the address where to send
replies and bounces.  Certainly Hotmail accepts replies and bounces via SMTP.
So if some random mail server sends me mail with MAIL FROM:
<blah@hotmail.com>, that is perfectly valid and has nothing to do with
whether Hotmail users can submit new emails via SMTP or whether the message
is spam or whatever.

What you perhaps want is Sender ID or Domain Keys, which are technically more
sound solutions, although they have some of the same problems.

> As for redundancy - if you have only one mailserver, then yes, it will
> limit you. But really, does *anybody* have just one mailserver these
> days?

Sure, if you have an ISP or company that only allows you to use theirs.

--
Peter Eisentraut
http://developer.postgresql.org/~petere/

Re: SPF Record ...

From
Andrew Sullivan
Date:
On Fri, Nov 17, 2006 at 02:05:46AM -0400, Marc G. Fournier wrote:
> I'm thinking of adding one to DNS, but after reading up on it, I'm a bit
> concerned how this might affect some ... specifically, from reading on

Please don't.  SPF is currently an experimental protocol.  There are
significant reasons to suppose that it is a vector for serious denial
of service attacks.

A

--
Andrew Sullivan  | ajs@crankycanuck.ca
In the future this spectacle of the middle classes shocking the avant-
garde will probably become the textbook definition of Postmodernism.
                --Brad Holland

Re: [CORE] SPF Record ...

From
Andrew Sullivan
Date:
On Fri, Nov 17, 2006 at 01:15:35AM -0500, Tom Lane wrote:
>
> +1 on the idea, but am willing to listen to objections...

Well, the objection is basically that SPF records are possibly a
vector for large-scale DoS amplification attacks _on the receiving
client end_.  So they don't affect you, but they cause a lot of
processing by someone else.

Doug Otis made a presentation about this at IETF67 just last week.
It's somewhat controversial -- the SPF supporters claim that the
attack is no worse than for any other DNS where one controls the
domain.

In any case, though, SPF records are considerably larger than
traditional DNS responses, which means much of the time everyone is
failing back to TCP.  Since a number of non-clueful DNS operators
think you can block TCP on port 53, it's also a potential way to
prevent communication.

A

--
Andrew Sullivan  | ajs@crankycanuck.ca
The fact that technology doesn't work is no bar to success in the marketplace.
        --Philip Greenspun

Re: [CORE] SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Friday, November 17, 2006 09:00:52 +0100 Magnus Hagander
<mha@sollentuna.net> wrote:


> Just so you know, you're supposed to use port 587 (see
> http://www.ietf.org/rfc/rfc2476.txt) for SMTP submission, not 26...

Didn't even know there *was* an RFC for that ... but, if there is, wouldn't it
be logical that most ISPs wuld block that *as well as* 25?  I've made the
change though ...

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFXbMi4QvfyHIvDvMRAufHAJ0avaoD9wtohRw1WlAphc4cs/Q+OgCg5PRu
7kKn+xNo53i9+qjJXCuZZ3c=
=P4HL
-----END PGP SIGNATURE-----


Re: [CORE] SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Friday, November 17, 2006 08:21:07 +0000 Dave Page <dpage@postgresql.org>
wrote:

> Please don't add SPF for postgresql.org - unless you're willing to add a
> record for developer.pgadmin.org as well.

'k, I wasn't planning on doing -all (strict fail), only ~all (softfail) ... so
this shouldn't affect either authsmtp.com use, or yours, at least if I'm
reading things right ...

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFXbQm4QvfyHIvDvMRAt5qAKCRHs/gXLe/IgUlMJhlA2Vt1UKrZACgufF4
hBNdSarebBFr5/l68JWAh7U=
=HAm6
-----END PGP SIGNATURE-----


Re: SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Friday, November 17, 2006 10:34:19 +0100 Magnus Hagander
<mha@sollentuna.net> wrote:

> That's a bit harsh, really. There are a lot of environments where
> publishing SPF records are *not* harmful, and are *not* restricting the
> user. For example, any organisation that doesn't use SMTP for mail
> submission. I have 18,000 users that only everb submit email using RPC
> or http. We also permit SMTP with authentication over TLS on 587 for
> those few (I think there are 4 or 5 people out of the 18,000) that use
> IMAP/s. Publishing SPF records for this organisation was a big win, and
> it has noticably cut down the spam complaints we've received when
> spammers have forged from addresses from our domains.

The above was what I was thinking also ... where there is easy and absolute
control over the domain in question (ie. all *legit* @hub.org email will go
through one of two servers ... I have my postfix setup on my desktop setup so
that it relays *thru* the primary one, and its a very restricted list of email
users involed), then adding an SPF doesn't hurt ...

> That said, I'm not asying that it's right for postgresql.org, given that
> it has the type of usage pattern that it does with a lot of
> "organizationally unrelated" users that all use SMTP for submission. Use
> the right tool for the job, as always...

As I answered Dave, I'm quickly starting to think that postgresql.org might be
fairly difficult ... but, even then, spf allows for 'exceptions' (ie.
authsmtp.com, developer.pgadmin.org, etc) ... so for the very few actual
mailboxes involved, it shouldn't be too difficult to do either ...

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFXbY54QvfyHIvDvMRAl2xAJsHRyWFxA1vNa11na6FIh6AFXIKeQCeLCXd
IkwnwsXLqzbv16fcwLkIBxI=
=+yvm
-----END PGP SIGNATURE-----


Re: SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Friday, November 17, 2006 11:36:12 +0100 Peter Eisentraut
<peter_e@gmx.net> wrote:

> Am Freitag, 17. November 2006 10:34 schrieb Magnus Hagander:
>> Publishing SPF records for this organisation was a big win, and
>> it has noticably cut down the spam complaints we've received when
>> spammers have forged from addresses from our domains.
>
> This is really the only thing that SPF accomplishes: It cuts down on a
> particular domain/ISP being used for fake email addresses in spam.  But a
> spammer can programmatically pick some other domain that does not publish SPF
> records.

'k, so the problem isn't SPF, but the fact that its not widely adopted and used
... so, let's *not* adopt it and increase its usage?

>  So in the end, SPF
> achieves merely a convenience for the postmaster of the ISP while providing
> at best equal but usually worse service for the users.

Where you are losing me here is how this 'worse service' manifests itself ... I
can understand some cases where this would be the case (a university campus
where students send email while off campus), but for smaller organizations (and
I'm sorry, but for the number of mailboxes under @postgresql.org, we are a
small organization email wise), being able to impose some sort of policy (even
with a small exceptions list), shouldn't cause a degredation in service ...

> SPF checks the envelope sender address.  That is the address where to send
> replies and bounces.  Certainly Hotmail accepts replies and bounces via SMTP.
>  So if some random mail server sends me mail with MAIL FROM:
> <blah@hotmail.com>, that is perfectly valid and has nothing to do with
> whether Hotmail users can submit new emails via SMTP or whether the message
> is spam or whatever.

You lost me on this one (or I mis-read Magnus' email) ... but, you can't use
IMAP/POP3 to read hotmail, only their webmail interface ... so, the only way to
send an email out as an @hotmail.com address *legitimately* would be *thrrough*
their servers ... or did I miss something in either of your or Magnus's
comments about hotmail ... ?

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFXbgF4QvfyHIvDvMRAlnZAKCRVfeqNaU4t4107TXUYkI2bO8aFgCgjDM6
eVcZ7+lvf6BDkjOFjsqJRgQ=
=9c/n
-----END PGP SIGNATURE-----


Re: SPF Record ...

From
"Joshua D. Drake"
Date:
> Since those having @postgresql.org accounts shoudl be limited to these two
> lists, can anyone comment on a) is this a bad idea? and b) would they be
> affected because they don't use SMTP AUTH and c) why aren't you using SMTP
> AUTH? ...
>
>
Are you saying that you don't *require* smtp auth? What about TLS? IMHO
you should be requiring
SMTP+TLS for all servers and users relaying through any @postgresql.org
server.

Sincerely,

Joshua D. Drake


> Thx ...
>
>


Re: SPF Record ...

From
"Joshua D. Drake"
Date:
Peter Eisentraut wrote:
> Am Freitag, 17. November 2006 07:05 schrieb Marc G. Fournier:
>
>> I'm thinking of adding one to DNS, but after reading up on it, I'm a bit
>> concerned how this might affect some
>>
>
> I urge you in the strongest possible terms not to do that.  As someone who is
> professionally involved in that issue, I can tell you that SPF is both
> useless and dangerous.  It doesn't stop any spam, but it breaks email
> protocols, annoys and restricts users for no gain.
>
IMHO, follow KISS. There is no reason to complicate the environment for
the purpose of complicating the environment.
My question would be, what is it that you feel SPF may do for
postgresql.org? Can that same thing be accomplished with
other technology?

Sincerely,

Joshua D. Drake


Re: [CORE] SPF Record ...

From
Dave Page
Date:
Marc G. Fournier wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> - --On Friday, November 17, 2006 08:21:07 +0000 Dave Page <dpage@postgresql.org>
> wrote:
>
>> Please don't add SPF for postgresql.org - unless you're willing to add a
>> record for developer.pgadmin.org as well.
>
> 'k, I wasn't planning on doing -all (strict fail), only ~all (softfail) ... so
> this shouldn't affect either authsmtp.com use, or yours, at least if I'm
> reading things right ...

What's the point if it doesn't prevent mail from any servers other than
the authorised ones?

Regards, Dave.

Re: SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Friday, November 17, 2006 05:35:26 -0800 "Joshua D. Drake"
<jd@commandprompt.com> wrote:

>
>> Since those having @postgresql.org accounts shoudl be limited to these two
>> lists, can anyone comment on a) is this a bad idea? and b) would they be
>> affected because they don't use SMTP AUTH and c) why aren't you using SMTP
>> AUTH? ...
>>
>>
> Are you saying that you don't *require* smtp auth?

We require SMTP AUTH for anyone wishing to relay through any of our servers,
yes ... we don't run open relays *shiver*

My question above was directed towards ppl like JoshB, whom I know are on the
road and sending email, as to whether they are doing SMTP AUTH against
mail.postgresql.org, or using some other means ...

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFXb7I4QvfyHIvDvMRAvljAJ93fEGBUN3XmNBCzWDC+2wL9PgGNACeKnqX
annXVuu33RZFHG6l/lDXhkA=
=m82Q
-----END PGP SIGNATURE-----


Re: SPF Record ...

From
Peter Eisentraut
Date:
Am Freitag, 17. November 2006 14:24 schrieb Marc G. Fournier:
> 'k, so the problem isn't SPF, but the fact that its not widely adopted and
> used ... so, let's *not* adopt it and increase its usage?

The problem is that the collateral damage imposed by SPF by far outweighs the
benefits, so informed people don't use it.  In addition, the benefits are
solely on the provider side and the damage is mostly on the user side, so as
a matter of providing quality service, sensible ISPs wouldn't use it.

> Where you are losing me here is how this 'worse service' manifests itself
> ... I can understand some cases where this would be the case (a university
> campus where students send email while off campus), but for smaller
> organizations (and I'm sorry, but for the number of mailboxes under
> @postgresql.org, we are a small organization email wise), being able to
> impose some sort of policy (even with a small exceptions list), shouldn't
> cause a degredation in service ...

Certainly you can doctor up endless exceptions, if you are prepared to
speedily integrate the evolving list of mail servers that I choose to use.
But I don't see why such complications would be necessary.  SPF doesn't solve
any problems that I can recognize, or for that matter that you have defined
here.

In more broader terms, this is a matter of principle.  There are already too
many supposedly good ideas around that disturb email traffic and Internet
privacy.  I don't see why you want to be on the forefront of making things
worse.

> You lost me on this one (or I mis-read Magnus' email) ... but, you can't
> use IMAP/POP3 to read hotmail, only their webmail interface ... so, the
> only way to send an email out as an @hotmail.com address *legitimately*
> would be *thrrough* their servers

That is only true for some new definition of "legitimate" which I'm interested
to learn.

--
Peter Eisentraut
http://developer.postgresql.org/~petere/

Re: [CORE] SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Friday, November 17, 2006 13:50:04 +0000 Dave Page <dpage@postgresql.org>
wrote:

> Marc G. Fournier wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>>
>> - --On Friday, November 17, 2006 08:21:07 +0000 Dave Page
>> <dpage@postgresql.org>  wrote:
>>
>>> Please don't add SPF for postgresql.org - unless you're willing to add a
>>> record for developer.pgadmin.org as well.
>>
>> 'k, I wasn't planning on doing -all (strict fail), only ~all (softfail) ...
>> so  this shouldn't affect either authsmtp.com use, or yours, at least if I'm
>> reading things right ...
>
> What's the point if it doesn't prevent mail from any servers other than the
> authorised ones?

To be honest ... that is actually one question that I was starting to wonder
... what we'd end up wanting to do would be something like:

      v=spf1 a mx include:authsmtp.com include:developer.pgadmin.org -all

Once we were sure we had addressed all the various include:'s ... the ?all
would be an intermidiary step ...

What actually started all of this, as an fyi, is that apparently places like
hotmail are using SPFs (and lack of them) for filtering purposes ... so what
we'd be publishing, for instance, with the above, for some place like hotmail,
would be akin to:

   trust everything coming from 200.46.204.71 + postgresql.org's MX records +

   authsmtp.com + developer.pgadmin.org, but feel free to question everything
else

I believe that stuff like Spamassassin also makes use of it for similar
purposes ... if SPF shows that the sending server is questionable (?all), then
score it higher then if its considered a "Trusted source", as determined by the
domain owners ...

Its basically us advertising what hosts we acknowledge as being legit senders
of @postgresql.org email ... anything else is questionable and should be dealt
with accordingly ... if we go to -all, then we're saying that 'anythign else is
pure garbage' ...

Again, this is based on what I've read so far ...

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFXcGq4QvfyHIvDvMRAusUAJ4jWOjcpwdYONZ3+1ltK9seTeMx1QCg4PyN
o/MZW/PieFmqLOgPXORaT/Q=
=eYQN
-----END PGP SIGNATURE-----


Re: SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Friday, November 17, 2006 15:03:00 +0100 Peter Eisentraut
<peter_e@gmx.net> wrote:


>> You lost me on this one (or I mis-read Magnus' email) ... but, you can't
>> use IMAP/POP3 to read hotmail, only their webmail interface ... so, the
>> only way to send an email out as an @hotmail.com address *legitimately*
>> would be *thrrough* their servers
>
> That is only true for some new definition of "legitimate" which I'm
> interested  to learn.

If the only way I can read @hotmail.com email is to login to hotmail.com's web
interface, then for what legitimate reason would I setup my desktop mail reader
to pretend I'm @hotmail.com?

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFXcJ+4QvfyHIvDvMRAi2zAKDanz9uM/qJM/qxIn7IwwwXiyMHAQCgx08a
NHdHS85zZluly85Qk/jP+wA=
=0NZP
-----END PGP SIGNATURE-----


Re: SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Friday, November 17, 2006 15:03:00 +0100 Peter Eisentraut
<peter_e@gmx.net> wrote:

> Certainly you can doctor up endless exceptions, if you are prepared to
> speedily integrate the evolving list of mail servers that I choose to use.

Unless I've mis-read something, the above only applies if we went totally
strict and used -all ... as long as we used ?all, you wouldn't be affected at
all, since we'd be acknowledging that other hosts could send, but that we know
that *our* registered IPs (a / mx) *do* send ...

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFXcM14QvfyHIvDvMRAjFDAJ9uIJuOSyo3sYuNp0xQ172DFZadugCeP6Y7
PWMv0TxKDQSf8OnY1tT4pNY=
=VkAm
-----END PGP SIGNATURE-----


Re: SPF Record ...

From
Andrew Sullivan
Date:
On Fri, Nov 17, 2006 at 10:12:05AM -0400, Marc G. Fournier wrote:
> strict and used -all ... as long as we used ?all, you wouldn't be affected at
> all, since we'd be acknowledging that other hosts could send, but that we know
> that *our* registered IPs (a / mx) *do* send ...

IMO, that's the worst of all worlds.  Effectively, since mail can
(according to what you register) legitmately come from elsewhere,
then there's no benefit to other users, because they have to accept
non-SPF mail anyway.  All it tells people is that mail that came from
you, well, came from you.  But if what you are trying to defend
against is someone hijacking your IP, then you need something other
than SPF.  DNSSEC comes to mind.

A

--
Andrew Sullivan  | ajs@crankycanuck.ca
I remember when computers were frustrating because they *did* exactly what
you told them to.  That actually seems sort of quaint now.
        --J.D. Baldwin

Re: [CORE] SPF Record ...

From
Andrew Sullivan
Date:
On Fri, Nov 17, 2006 at 09:03:29AM -0400, Marc G. Fournier wrote:
> Didn't even know there *was* an RFC for that ... but, if there is, wouldn't it
> be logical that most ISPs wuld block that *as well as* 25?  I've made the
> change though ...

No.  The whole point of that port is that it offers a different,
authenticated service.  So it makes blocking port 25 "legitimate" (as
legitmate as such a solution ever is) because there's an
authenticated way to get there instead.

A

--
Andrew Sullivan  | ajs@crankycanuck.ca
When my information changes, I alter my conclusions.  What do you do sir?
        --attr. John Maynard Keynes

Re: [CORE] SPF Record ...

From
Andrew Sullivan
Date:
On Fri, Nov 17, 2006 at 10:05:29AM -0400, Marc G. Fournier wrote:
>
> What actually started all of this, as an fyi, is that apparently places like
> hotmail are using SPFs (and lack of them) for filtering purposes ... so what

You should be aware that _part_ of the reason hotmail is doing SPF is
because our friends at MS are busily integrating Yet Another Way to
break the previously-working Internet in their systems.  And as
usual, some bright young kids at MS went away, wrote some stuff up
as something they wanted to do, and more or less refused to listen to
people who'd seen lots of damage inflicted by previous, quick
standards efforts.

SPF is _extremely_ controversial among the RFC-writing crowd.  The
surest way to hijack a meeting right now is to open an SPF (or its
cousin, DKIM -- someone famous in SMTP circles said to me in San
Diego that the best thing he could think to say about DKIM was that
it wasn't SPF) discussion.

A

--
Andrew Sullivan  | ajs@crankycanuck.ca
A certain description of men are for getting out of debt, yet are
against all taxes for raising money to pay it off.
        --Alexander Hamilton

Re: SPF Record ...

From
Peter Eisentraut
Date:
Am Freitag, 17. November 2006 15:12 schrieb Marc G. Fournier:
> Unless I've mis-read something, the above only applies if we went totally
> strict and used -all ... as long as we used ?all, you wouldn't be affected
> at all, since we'd be acknowledging that other hosts could send, but that
> we know that *our* registered IPs (a / mx) *do* send ...

Well, sure, but then this whole construction is zero purpose.

--
Peter Eisentraut
http://developer.postgresql.org/~petere/

Re: SPF Record ...

From
Peter Eisentraut
Date:
Am Freitag, 17. November 2006 15:09 schrieb Marc G. Fournier:
> If the only way I can read @hotmail.com email is to login to hotmail.com's
> web interface, then for what legitimate reason would I setup my desktop
> mail reader to pretend I'm @hotmail.com?

The fact that you are sending email from, say, your desktop with an envelope
sender address of <something@hotmail.com> doesn't mean that "you are
@hotmail.com".  It means that replies should go to that address.  There is
nothing wrong with that construction.  (Of course, the real-life use might be
limited, but with postgresql.org or for that matter mostly everyone besides
hotmail.com, there certainly are varied ways to read email, so that argument
is moot for our purposes anyway.)

--
Peter Eisentraut
http://developer.postgresql.org/~petere/

Re: SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Friday, November 17, 2006 07:00:23 -0500 Andrew Sullivan
<ajs@crankycanuck.ca> wrote:

> On Fri, Nov 17, 2006 at 02:05:46AM -0400, Marc G. Fournier wrote:
>> I'm thinking of adding one to DNS, but after reading up on it, I'm a bit
>> concerned how this might affect some ... specifically, from reading on
>
> Please don't.  SPF is currently an experimental protocol.  There are
> significant reasons to suppose that it is a vector for serious denial
> of service attacks.

Please elaborate on this one and/or provide some sort of links to read up on it
through ... I haven't been able to find anything negative online yet about it :(

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFXmFo4QvfyHIvDvMRAuy7AKCm1vf3RQrv3SuPedxwIeHqxqKFoQCbBFHx
EEEBVs3FEMPVS5UhM9bRG5w=
=M+N0
-----END PGP SIGNATURE-----


Re: [CORE] SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Friday, November 17, 2006 07:05:24 -0500 Andrew Sullivan
<ajs@crankycanuck.ca> wrote:

> On Fri, Nov 17, 2006 at 01:15:35AM -0500, Tom Lane wrote:
>>
>> +1 on the idea, but am willing to listen to objections...
>
> Well, the objection is basically that SPF records are possibly a
> vector for large-scale DoS amplification attacks _on the receiving
> client end_.  So they don't affect you, but they cause a lot of
> processing by someone else.

But isn't that only if the receiving end has implemented an SPF policy?  SPF
records aren't even checked if postfix (or the other MTAs) are configured to
check for it ... no?

> In any case, though, SPF records are considerably larger than
> traditional DNS responses, which means much of the time everyone is
> failing back to TCP.  Since a number of non-clueful DNS operators
> think you can block TCP on port 53, it's also a potential way to
> prevent communication.

'lack of a clue' seems to be a bad reason to not use SPF, no?  And, please note
that I wasn't suggesting *we* check SPF, only that we provide an SPF record in
our DNS for those that do check it ...

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFXmMA4QvfyHIvDvMRAnBsAKCGb7g9Gty2ykzHv7+hvrhFRb1MegCgq8Mg
pB5mpSjT3LLNhDJBzZaOON4=
=SLkK
-----END PGP SIGNATURE-----


Re: [CORE] SPF Record ...

From
"Dan Langille"
Date:
On 17 Nov 2006 at 21:33, Marc G. Fournier wrote:

>
>
> --On Friday, November 17, 2006 07:05:24 -0500 Andrew Sullivan
> <ajs@crankycanuck.ca> wrote:
>
> > On Fri, Nov 17, 2006 at 01:15:35AM -0500, Tom Lane wrote:
> >>
> >> +1 on the idea, but am willing to listen to objections...
> >
> > Well, the objection is basically that SPF records are possibly a
> > vector for large-scale DoS amplification attacks _on the receiving
> > client end_.  So they don't affect you, but they cause a lot of
> > processing by someone else.
>
> But isn't that only if the receiving end has implemented an SPF policy?  SPF
> records aren't even checked if postfix (or the other MTAs) are configured to
> check for it ... no?

Correct.

> > In any case, though, SPF records are considerably larger than
> > traditional DNS responses, which means much of the time everyone is
> > failing back to TCP.  Since a number of non-clueful DNS operators
> > think you can block TCP on port 53, it's also a potential way to
> > prevent communication.
>
> 'lack of a clue' seems to be a bad reason to not use SPF, no?  And, please note
> that I wasn't suggesting *we* check SPF, only that we provide an SPF record in
> our DNS for those that do check it ...

Noted.  That is what was proposed.

--
Dan Langille : Software Developer looking for work
my resume: http://www.freebsddiary.org/dan_langille.php



Re: [CORE] SPF Record ...

From
Peter Eisentraut
Date:
Marc G. Fournier wrote:
> please note that I wasn't suggesting *we* check SPF, only that we
> provide an SPF record in our DNS for those that do check it ...

By publishing an SPF record you are saying that all mail using
@postgresql.org domains must go over a particular mail server, but you
haven't offered any reason so far why that would have to be so.

--
Peter Eisentraut
http://developer.postgresql.org/~petere/

Re: [CORE] SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Saturday, November 18, 2006 18:12:22 +0100 Peter Eisentraut
<peter_e@gmx.net> wrote:

> Marc G. Fournier wrote:
>> please note that I wasn't suggesting *we* check SPF, only that we
>> provide an SPF record in our DNS for those that do check it ...
>
> By publishing an SPF record you are saying that all mail using
> @postgresql.org domains must go over a particular mail server

That is not true .. that is only true if we publish -all ... if we publish
?all, we are saying that anything coming from "a mx" are *definitely* from
@postgresql.org, and that from other sources they *might* be ... with ?all, it
becomes more a means of Scoring for spam filters like Spamassassin then
anything else ...

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFX0Um4QvfyHIvDvMRAu4qAJ9IQMy0A2+oXoXTpNUTSr2scJyU4gCeOPTg
AxOt9jLUuw6OAWP4xpxkFys=
=cS6G
-----END PGP SIGNATURE-----


Re: SPF Record ...

From
"Joshua D. Drake"
Date:
Hello,

My question is:

What problem are we trying to solve by using SPF?

Sincerely,

Joshua D. Drake

--

      === The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive  PostgreSQL solutions since 1997
             http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate




Re: SPF Record ...

From
"Dan Langille"
Date:
On 18 Nov 2006 at 11:29, Joshua D. Drake wrote:

> Hello,
>
> My question is:
>
> What problem are we trying to solve by using SPF?

And SPF record is not for us.  It is for others.

An SPF record tells other people where our email is [most likely] to
be coming from.  It helps them to design spam detection techniques.
When combined with other information, it helps them to draw a
conclusion as to whether or not a given email is spam.

--
Dan Langille : Software Developer looking for work
my resume: http://www.freebsddiary.org/dan_langille.php



Re: SPF Record ...

From
"Joshua D. Drake"
Date:
On Sat, 2006-11-18 at 15:44 -0500, Dan Langille wrote:
> On 18 Nov 2006 at 11:29, Joshua D. Drake wrote:
>
> > Hello,
> >
> > My question is:
> >
> > What problem are we trying to solve by using SPF?
>
> And SPF record is not for us.  It is for others.
>
> An SPF record tells other people where our email is [most likely] to
> be coming from.  It helps them to design spam detection techniques.
> When combined with other information, it helps them to draw a
> conclusion as to whether or not a given email is spam.

O.k. and is OpenSPF the definitive source for information on it?

Honestly, the whole thing sounds pretty pointless at least at this
juncture. I am not bashing the technology but I don't really see a
reason for it.

Sincerely,

Joshua D. Drake


--

      === The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive  PostgreSQL solutions since 1997
             http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate




Re: SPF Record ...

From
"Dan Langille"
Date:
On 18 Nov 2006 at 12:52, Joshua D. Drake wrote:

> On Sat, 2006-11-18 at 15:44 -0500, Dan Langille wrote:
> > On 18 Nov 2006 at 11:29, Joshua D. Drake wrote:
> >
> > > Hello,
> > >
> > > My question is:
> > >
> > > What problem are we trying to solve by using SPF?
> >
> > And SPF record is not for us.  It is for others.
> >
> > An SPF record tells other people where our email is [most likely] to
> > be coming from.  It helps them to design spam detection techniques.
> > When combined with other information, it helps them to draw a
> > conclusion as to whether or not a given email is spam.
>
> O.k. and is OpenSPF the definitive source for information on it?

I do not know who is the definite source.

> Honestly, the whole thing sounds pretty pointless at least at this
> juncture. I am not bashing the technology but I don't really see a
> reason for it.

Good!  Then you'd agree, there's no harm in publishing our SPF
records vis DNS and letting others use it.

--
Dan Langille : Software Developer looking for work
my resume: http://www.freebsddiary.org/dan_langille.php



Re: SPF Record ...

From
"Joshua D. Drake"
Date:
> > O.k. and is OpenSPF the definitive source for information on it?
>
> I do not know who is the definite source.
>
> > Honestly, the whole thing sounds pretty pointless at least at this
> > juncture. I am not bashing the technology but I don't really see a
> > reason for it.
>
> Good!  Then you'd agree, there's no harm in publishing our SPF
> records vis DNS and letting others use it.

My only argument would be *if* there is additional administrative
overhead. If not.. I a really don't care :). If Marc wants to use it,
have at it.

Sincerely,

Joshua D. Drake


>
--

      === The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive  PostgreSQL solutions since 1997
             http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate




Re: [CORE] SPF Record ...

From
Josh Berkus
Date:
All,

Just as a reminder, please let's not do *anything* to the mail servers until
at least ten days after the 8.2 release.  Thanks.

--
Josh Berkus
PostgreSQL @ Sun
San Francisco

Re: [CORE] SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Saturday, November 18, 2006 13:19:43 -0800 Josh Berkus
<josh@agliodbs.com>
wrote:

> All,
>
> Just as a reminder, please let's not do *anything* to the mail servers until
> at least ten days after the 8.2 release.  Thanks.

I believe the thought was to wait until the start of January (unless, of
course, 8.2 somehow gets pushed back that far) ... which should be a bit more
then 10 days after the release ...

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFX3oi4QvfyHIvDvMRAtMSAKDpAhLz1c0F6u5erITqB30k1VviQwCfa/Vp
jwyU90XdmxbEw4Urbxt7ueE=
=1ilr
-----END PGP SIGNATURE-----


Re: SPF Record ...

From
"Dan Langille"
Date:
On 18 Nov 2006 at 13:09, Joshua D. Drake wrote:

>
> > > O.k. and is OpenSPF the definitive source for information on it?
> >
> > I do not know who is the definite source.
> >
> > > Honestly, the whole thing sounds pretty pointless at least at this
> > > juncture. I am not bashing the technology but I don't really see a
> > > reason for it.
> >
> > Good!  Then you'd agree, there's no harm in publishing our SPF
> > records vis DNS and letting others use it.
>
> My only argument would be *if* there is additional administrative
> overhead. If not.. I a really don't care :). If Marc wants to use it,
> have at it.

It is a DNS record.  It only requires updating if you substantially
change your existing MX strategy.

--
Dan Langille : Software Developer looking for work
my resume: http://www.freebsddiary.org/dan_langille.php



Re: [CORE] SPF Record ...

From
Peter Eisentraut
Date:
Marc G. Fournier wrote:
> That is not true .. that is only true if we publish -all ... if we
> publish ?all, we are saying that anything coming from "a mx" are
> *definitely* from @postgresql.org, and that from other sources they
> *might* be ... with ?all, it becomes more a means of Scoring for spam
> filters like Spamassassin then anything else ...

You continue to operate under the assumption that SPF has something to
do with spam.  It doesn't.  SPF enforces that email travels across
approved hosts.  Spammers who hijack dial-up PCs (currently the
majority of junk mail) can also make their email travel across approved
hosts.  Spammers can also set up their own SPF records to fool your
scoring system.

Go to the SPF web site.  It says: "SPF: A Sender Policy Framework to
Prevent Email Forgery".  That's what it does.  It prevents that spammer
A can claim that he is spammer B.  And it doesn't even do that very
well.

--
Peter Eisentraut
http://developer.postgresql.org/~petere/

Re: SPF Record ...

From
Andrew Sullivan
Date:
On Sat, Nov 18, 2006 at 12:52:49PM -0800, Joshua D. Drake wrote:
> O.k. and is OpenSPF the definitive source for information on it?

No.  The IETF is the definitive source for information on it, because
that's where the standard is actually published.

A
--
Andrew Sullivan  | ajs@crankycanuck.ca
The whole tendency of modern prose is away from concreteness.
        --George Orwell

Re: SPF Record ...

From
Andrew Sullivan
Date:
On Sat, Nov 18, 2006 at 04:01:45PM -0500, Dan Langille wrote:
> > juncture. I am not bashing the technology but I don't really see a
> > reason for it.
>
> Good!  Then you'd agree, there's no harm in publishing our SPF
> records vis DNS and letting others use it.

That is a _really bad_ argument.  You cannot infer "do X" from "I
don't know whether X is harmful or not."

A

--
Andrew Sullivan  | ajs@crankycanuck.ca
"The year's penultimate month" is not in truth a good way of saying
November.
        --H.W. Fowler

Re: [CORE] SPF Record ...

From
Andrew Sullivan
Date:
On Fri, Nov 17, 2006 at 09:33:52PM -0400, Marc G. Fournier wrote:
> > client end_.  So they don't affect you, but they cause a lot of
> > processing by someone else.
>
> But isn't that only if the receiving end has implemented an SPF policy?  SPF
> records aren't even checked if postfix (or the other MTAs) are configured to
> check for it ... no?

That's the point.  If Doug Otis is right, by _you implementing_ SPF,
you become the potential source for a large-multiple amplification
DoS attack, on someone who is checking SPF.  If your response is,
"Well, they shouldn't check SPF then," my question is then, "So why
put the record in DNS?"

In any case, SPF is _experimental_.  Experimental protocols are
released that way because there is significant suggestion in the
community that the protocol might actually be harmful to the
Internet.

> 'lack of a clue' seems to be a bad reason to not use SPF, no?

No.  The DNS is a distributed database used by everyone on the
Internet, the users of which you don't even know and cannot be sure
you can learn about.  If there is any place at all to be conservative
in what you send, it's the DNS.

A

--
Andrew Sullivan  | ajs@crankycanuck.ca
If they don't do anything, we don't need their acronym.
        --Josh Hamilton, on the US FEMA

Re: [CORE] SPF Record ...

From
Andrew Sullivan
Date:
On Sat, Nov 18, 2006 at 01:38:45PM -0400, Marc G. Fournier wrote:
> That is not true .. that is only true if we publish -all ... if we publish
> ?all, we are saying that anything coming from "a mx" are *definitely* from
> @postgresql.org, and that from other sources they *might* be ... with ?all, it
> becomes more a means of Scoring for spam filters like Spamassassin then
> anything else ...

You seem to have missed the part of the discussion where we pointed
out that that strategy provides _no benefit at all_ in SPF terms.
Anyone can still send mail with the postgresql.org domain on it,
which means that all the SPF machinery at the other end has to be
used (including all the additional load on the global DNS), for
exactly no guarantees.

A

--
Andrew Sullivan  | ajs@crankycanuck.ca
Unfortunately reformatting the Internet is a little more painful
than reformatting your hard drive when it gets out of whack.
        --Scott Morris

Re: [CORE] SPF Record ...

From
Peter Eisentraut
Date:
Marc G. Fournier wrote:
> "SpamAssassin 3.0 supports SPF to detect and penalize header
> forgery."

I am painfully aware that SpamAssassin applies SPF.  But that just shows
that they are equally clueless because what they consider "header
forgery" is another man's idea of privacy, freedom, and
self-determination.

--
Peter Eisentraut
http://developer.postgresql.org/~petere/

Re: [CORE] SPF Record ...

From
Andrew Sullivan
Date:
On Sun, Nov 19, 2006 at 12:45:48PM -0400, Marc G. Fournier wrote:
> "SpamAssassin 3.0 supports SPF to detect and penalize header forgery."

If your main goal is to reduce spam, _point finale_, then SPF will
help.  If your main goal is to reduce spam _while not causing
unwanted side-effects_, then spamassassin's approach above does not
meet the goal.

The problems with SPF are subtle, and by no means apparent at first
glance.  SPF _looks_ like a good thing, if only everyone plays nice.
As a matter of fact, though, it causes damage to the global DNS, and
doesn't actually solve the problem it should given the way people
actually use email.  Moreover, the "interim" measures that people
have put into the protocol for transition purposes turn out to make
it worse than useless: all the cost has to be paid, and none of the
putative benefit is delivered.  Even DKIM is a better answer than
this (and I'm no fan).

Compare this to the way MySQL delivers the enum data type.  "Causes
no damage.  Just an extension," some say.  But the actual effects in
the field are different: it causes sloppy, poorly generalised design,
and miseducates people about how SQL works.  It shouldn't be used,
because there was already a good, more general way to do the same
thing under SQL.  In my view, SPF is the same sort of damage, and
shouldn't be used.

A

--
Andrew Sullivan  | ajs@crankycanuck.ca
This work was visionary and imaginative, and goes to show that visionary
and imaginative work need not end up well.
        --Dennis Ritchie

Re: [CORE] SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Sunday, November 19, 2006 09:28:17 +0100 Peter Eisentraut
<peter_e@gmx.net> wrote:

> Marc G. Fournier wrote:
>> That is not true .. that is only true if we publish -all ... if we
>> publish ?all, we are saying that anything coming from "a mx" are
>> *definitely* from @postgresql.org, and that from other sources they
>> *might* be ... with ?all, it becomes more a means of Scoring for spam
>> filters like Spamassassin then anything else ...
>
> You continue to operate under the assumption that SPF has something to
> do with spam.  It doesn't.

Then obviously you are not as well-informed as you like to think you are:

"SpamAssassin 3.0 supports SPF to detect and penalize header forgery."

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFYIo84QvfyHIvDvMRArlQAJ9rmKMYsjUuKDHvClKS85u47CB9RACfei9h
9eDBWdfJzVRYusa8nKHZy4g=
=K/Rk
-----END PGP SIGNATURE-----


Re: [CORE] SPF Record ...

From
"Joshua D. Drake"
Date:
> >
> > You continue to operate under the assumption that SPF has something to
> > do with spam.  It doesn't.
>
> Then obviously you are not as well-informed as you like to think you are:
>
> "SpamAssassin 3.0 supports SPF to detect and penalize header forgery."

Marc if your goal is to help eliminate spam or at least ease spam
detection, why not focus on other spam products such as Dspam or Razor?

Joshua D. Drake


>
> - ----
> Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
> Email . scrappy@hub.org                              MSN . scrappy@hub.org
> Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (FreeBSD)
>
> iD8DBQFFYIo84QvfyHIvDvMRArlQAJ9rmKMYsjUuKDHvClKS85u47CB9RACfei9h
> 9eDBWdfJzVRYusa8nKHZy4g=
> =K/Rk
> -----END PGP SIGNATURE-----
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: Have you checked our extensive FAQ?
>
>                http://www.postgresql.org/docs/faq
>
--

      === The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive  PostgreSQL solutions since 1997
             http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate




Re: [CORE] SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Sunday, November 19, 2006 11:17:33 -0800 "Joshua D. Drake"
<jd@commandprompt.com> wrote:

>> >
>> > You continue to operate under the assumption that SPF has something to
>> > do with spam.  It doesn't.
>>
>> Then obviously you are not as well-informed as you like to think you are:
>>
>> "SpamAssassin 3.0 supports SPF to detect and penalize header forgery."
>
> Marc if your goal is to help eliminate spam or at least ease spam
> detection, why not focus on other spam products such as Dspam or Razor?

Actually, we use Spamassassin + Razor + Pyzor + Bayes + Spamcop right now,
using Maia Mailguard as a front end ... I have 60k "unconfirmed spam" sitting
in the database right now, most of which is scoring >20 ... I go through
several hundred a week (the lowest scoring stuff) for all of the mailing lists,
so that I'm adding to the Razor/Pyzor/Spamcop/Bayes database ... but that only
keeps the mail from the lists, it doesn't keep them from the server(s) ... and
I'm not just focusing on @postgresql.org email, but spam as a whole ...

How many on this list do anything to contribute to Razory/Pyzor/Spamcop, but
make use of Spamassassin?  I know until I setup Maia here, that it was just way
to much work to report each message individually ...

The thing is, 'checking for spam as it comes in' doesn't get rid of, or reduce,
the problem ... SPF might not be it either ... but, if (in a perfect world)
every mail server forced something like SPF, so that ppl could only send email
through a legit mail server (ie. commandprompt.com email through a
commandprompt.com mail server, gmx.net mail through a gmx.net mail server, etc)
... would that not reduce the overall spam on the 'Net?

I don't know the answer to this, nor do I truly believe anyone here on this
list can say with certainty ... all my goal was with adding a simple SPF record
was to try and further reduce the possibility of someone using @postgresql.org
for spam purposes, as well as providing more information to spam filters as to
whether or not email addressed that way should be concerned legit or not ...

Until someone devises the 'perfect solution to spam', I would think that a
series of 'less then perfect ones' would at least help combat it ...

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFYLCC4QvfyHIvDvMRAtO6AJwOLS1MuQXbEHnuYG1UVMw2Ye+NRgCgnA5A
lRujfCHH7PTkTMING9xxbeA=
=7G4i
-----END PGP SIGNATURE-----


Re: [CORE] SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Sunday, November 19, 2006 18:05:56 +0100 Peter Eisentraut
<peter_e@gmx.net> wrote:

> Marc G. Fournier wrote:
>> "SpamAssassin 3.0 supports SPF to detect and penalize header
>> forgery."
>
> I am painfully aware that SpamAssassin applies SPF.  But that just shows
> that they are equally clueless because what they consider "header
> forgery" is another man's idea of privacy, freedom, and
> self-determination.

'k, so if I start sending emails out as peter_e@gmx.net, you'd have no problems
with that, sinc it could fall under my idea of 'privacy, freedom and
self-determination'?  It would affect you, since I know *I* won't be getting
the angry messages back, or bounces, and for that reason alone, its generally
used by spammers ...

Show me an *ethical / legit* reason why I would want to send out email as
someone else?  I personally can think of absolutely none ...

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFYKvF4QvfyHIvDvMRApFjAJ9rRMornNz0NEHvhLVkpwfxdAag0gCgiYe/
+i/2s0Wz8+iK9pdkASRO4IY=
=kxQ8
-----END PGP SIGNATURE-----


Re: [CORE] SPF Record ...

From
"Joshua D. Drake"
Date:
> How many on this list do anything to contribute to Razory/Pyzor/Spamcop, but
> make use of Spamassassin?  I know until I setup Maia here, that it was just way
> to much work to report each message individually ...

Well to be honest, I only use greylisting and just delete any spam I get
throughout the day.

>
> The thing is, 'checking for spam as it comes in' doesn't get rid of, or reduce,
> the problem ... SPF might not be it either ... but, if (in a perfect world)
> every mail server forced something like SPF, so that ppl could only send email
> through a legit mail server (ie. commandprompt.com email through a
> commandprompt.com mail server, gmx.net mail through a gmx.net mail server, etc)
> ... would that not reduce the overall spam on the 'Net?

Sure but you do have at least one person that is highly qualified to
make his point known, that this is a bad idea (AndrewS).

>
> I don't know the answer to this, nor do I truly believe anyone here on this
> list can say with certainty ... all my goal was with adding a simple SPF record
> was to try and further reduce the possibility of someone using @postgresql.org
> for spam purposes, as well as providing more information to spam filters as to
> whether or not email addressed that way should be concerned legit or not ...

Fair enough but honestly, who cares...? Nobody I know uses SPF and thus
although a good natured, and ethically positive idea, it wouldn't make
much if any difference.

Sincerely,

Joshua D. Drake

--

      === The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive  PostgreSQL solutions since 1997
             http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate




Re: [CORE] SPF Record ...

From
Dave Page
Date:
Marc G. Fournier wrote:

> Until someone devises the 'perfect solution to spam', I would think that a
> series of 'less then perfect ones' would at least help combat it ...

And that's a perfectly fine idea, except when one of those partial
solutions can have undesirable side effects. In the case of SPF we've
heard of at least two so far:

1) When used without ?all, those scoring messages using SPF may end up
blocking legitimate messages from non-listed servers.

2) SPF may be used as a mechanism for DNS attacks.

Regards, Dave.

Re: [CORE] SPF Record ...

From
Peter Eisentraut
Date:
Marc G. Fournier wrote:
> The thing is, 'checking for spam as it comes in' doesn't get rid of,
> or reduce, the problem ... SPF might not be it either ... but, if (in
> a perfect world) every mail server forced something like SPF, so that
> ppl could only send email through a legit mail server (ie.
> commandprompt.com email through a commandprompt.com mail server,
> gmx.net mail through a gmx.net mail server, etc) ... would that not
> reduce the overall spam on the 'Net?

Not really, because of two reasons:

1) Spammers can just register their own domain and set up SPF records
for that.

2) Most spam is sent through zombies, so it passes through the SPF
system undetected.

--
Peter Eisentraut
http://developer.postgresql.org/~petere/

Re: [CORE] SPF Record ...

From
Peter Eisentraut
Date:
Marc G. Fournier wrote:
> 'k, so if I start sending emails out as peter_e@gmx.net, you'd have
> no problems with that,

That is completely unrelated to the SPF issue.  What you are describing
is presumably one person impersonating another.  But SPF only addresses
the path that email takes.  You can still pretend to be someone else.

--
Peter Eisentraut
http://developer.postgresql.org/~petere/

Re: [CORE] SPF Record ...

From
"Larry Rosenman"
Date:
Dave Page wrote:
> Marc G. Fournier wrote:
>
>> Until someone devises the 'perfect solution to spam', I would think
>> that a series of 'less then perfect ones' would at least help combat
>> it ...
>
> And that's a perfectly fine idea, except when one of those partial
> solutions can have undesirable side effects. In the case of SPF we've
> heard of at least two so far:
>
> 1) When used without ?all, those scoring messages using SPF may end
> up blocking legitimate messages from non-listed servers.
>
> 2) SPF may be used as a mechanism for DNS attacks.
>
> Regards, Dave.

Just to add some more to the debate:
http://david.woodhou.se/why-not-spf.html
http://www.circleid.com/posts/spf_loses_mindshare/

And others.

I respect Suresh a LOT from the anti-spam community,
 and I've REMOVED my SPF records.  I don't think we (PostgreSQL.org)
 should put an SPF record in place.



--
Larry Rosenman                     http://www.lerctr.org/~ler
Phone: +1 512-248-2683             E-Mail: ler@lerctr.org
US Mail: 430 Valona Loop, Round Rock, TX 78681-3893


Re: [CORE] SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Sunday, November 19, 2006 21:53:31 +0100 Peter Eisentraut
<peter_e@gmx.net> wrote:

> Marc G. Fournier wrote:
>> The thing is, 'checking for spam as it comes in' doesn't get rid of,
>> or reduce, the problem ... SPF might not be it either ... but, if (in
>> a perfect world) every mail server forced something like SPF, so that
>> ppl could only send email through a legit mail server (ie.
>> commandprompt.com email through a commandprompt.com mail server,
>> gmx.net mail through a gmx.net mail server, etc) ... would that not
>> reduce the overall spam on the 'Net?
>
> Not really, because of two reasons:
>
> 1) Spammers can just register their own domain and set up SPF records
> for that.

An easy way to block spam ... I'd actually *like* that one ... as would most
blacklists out there ...

> 2) Most spam is sent through zombies, so it passes through the SPF
> system undetected.

Please elaborate on this one ...

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFYQtq4QvfyHIvDvMRAl42AJ92LUeNHjvH8ryD1p2UQjQVBIE8BQCfUdLn
8G0LhuiP5nmn1tXsTI0Robo=
=QTZK
-----END PGP SIGNATURE-----


Re: [CORE] SPF Record ...

From
"Joshua D. Drake"
Date:
> > 2) Most spam is sent through zombies, so it passes through the SPF
> > system undetected.
>
> Please elaborate on this one ...

Basically most spam isn't sent via a forged header, but sent via a
hijacked PC or other method. So the SPF wouldn't help.

Sincerely,

Joshua D. Drake

>
> - ----
> Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
> Email . scrappy@hub.org                              MSN . scrappy@hub.org
> Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (FreeBSD)
>
> iD8DBQFFYQtq4QvfyHIvDvMRAl42AJ92LUeNHjvH8ryD1p2UQjQVBIE8BQCfUdLn
> 8G0LhuiP5nmn1tXsTI0Robo=
> =QTZK
> -----END PGP SIGNATURE-----
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: Have you checked our extensive FAQ?
>
>                http://www.postgresql.org/docs/faq
>
--

      === The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive  PostgreSQL solutions since 1997
             http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate




Re: [CORE] SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Sunday, November 19, 2006 21:59:53 +0100 Peter Eisentraut
<peter_e@gmx.net> wrote:

> Marc G. Fournier wrote:
>> 'k, so if I start sending emails out as peter_e@gmx.net, you'd have
>> no problems with that,
>
> That is completely unrelated to the SPF issue.  What you are describing
> is presumably one person impersonating another.  But SPF only addresses
> the path that email takes.  You can still pretend to be someone else.

Huh??  If gmx.net had an SPF record that stated that only gmx.net and its MXs
were authoritative sources of mail for their domain, and I send something
through hub.org as peter_e@gmx.net, the receiving server, if it checks/honors
SPF, would end up rejecting it as spam ... the only way it wouldn't is if I
could relay *through* gmx.net (I'm assuming that I can't?) so that not only am
I impersonating you, but I'm doing it in such a way that the SPF record
verifies that it is legit ...

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFYQwK4QvfyHIvDvMRAtXtAJwJeI5eZWCDmL4wjiidVUxwKhcZ4wCdEhjt
I9VLt90vSynY3OuTSjQefBQ=
=u+x8
-----END PGP SIGNATURE-----


Re: [CORE] SPF Record ...

From
Dave Page
Date:
Marc G. Fournier wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> the only way it wouldn't is if I
> could relay *through* gmx.net (I'm assuming that I can't?) so that not only am
> I impersonating you, but I'm doing it in such a way that the SPF record
> verifies that it is legit ...

Which is another reason why it doesn't work well - a large percentage
(perhaps the majority) of spam is sent through trojans running on poorly
secured Windows boxes. If Peter were running such a machine, yes, you as
an evil spammer could easily send spam as peter_e@gmx.net through
mail.gmx.net.

SPF just legitimsed that spam :-(

Regards, Dave.

Re: [CORE] SPF Record ...

From
Andrew Sullivan
Date:
On Mon, Nov 20, 2006 at 08:28:07AM +0000, Dave Page wrote:
> (perhaps the majority) of spam is sent through trojans running on poorly
> secured Windows boxes.

Right.  I didn't really want to get into this level of detail on
list, but here we go.

Note that they're not just "poorly secured".  They're _default_
Windows boxes.  That is, it is now nearly impossible to
download all the patches for a bog-standard WinXP installation before
the machine is compromised.  Which means that merely by reinstalling
the operating system, many users are all but guaranteeing that
they'll be part of a botnet in no time.  And since the solution to a
lot of Windows problems is "reinstall", you can see what happens.

The attackers, including spam operators, build networks of
_thousands_ of these things.  You can have such a pre-built net for
your own use for next to no money, or build your own for very little
effort with downloadable tools floating around the Net.  Every one of
those machines will be authenticated to its mail domain; and, if the
machine is sending spam, then that spam is authenticated as well as
any other mail from the domain is.

So, SPF protects somewhat against forged-header spam, at a high cost
to the rest of the Internet.  But it doesn't actually protect against
the real current threats at all (the spambot drone armies).

A

--
Andrew Sullivan  | ajs@crankycanuck.ca
When my information changes, I alter my conclusions.  What do you do sir?
        --attr. John Maynard Keynes

Re: [CORE] SPF Record ...

From
Andrew Sullivan
Date:
On Sun, Nov 19, 2006 at 09:56:58PM -0400, Marc G. Fournier wrote:
> > 1) Spammers can just register their own domain and set up SPF records
> > for that.
>
> An easy way to block spam ... I'd actually *like* that one ... as would most
> blacklists out there ...

You can't update your blacklist fast enough.  When you register a
domain these days, it resolves on the Net inside 10 minutes.  Better
still, if you're a registrar, if you delete the domain inside 5 days,
you _get your money back_.  So you can set up as a registrar for
about $2500.  You register domains, put in the SPF records, send your
spam, delete the domain, and your domain is gone before anyone's
blackhole list has even been touched.  There _is_ a list of
"recently-registered domains" built by Rick Wesson, but its
resolution is only as good as one day (he can't get the data faster
than that).

A

--
Andrew Sullivan  | ajs@crankycanuck.ca
A certain description of men are for getting out of debt, yet are
against all taxes for raising money to pay it off.
        --Alexander Hamilton

Re: [CORE] SPF Record ...

From
"Magnus Hagander"
Date:
> > (perhaps the majority) of spam is sent through trojans running on
> > poorly secured Windows boxes.
>
> Right.  I didn't really want to get into this level of detail
> on list, but here we go.
>
> Note that they're not just "poorly secured".  They're
> _default_ Windows boxes.  That is, it is now nearly
> impossible to download all the patches for a bog-standard
> WinXP installation before the machine is compromised.  Which
> means that merely by reinstalling the operating system, many
> users are all but guaranteeing that they'll be part of a
> botnet in no time.  And since the solution to a lot of
> Windows problems is "reinstall", you can see what happens.

A standalone firewall-box-thingy for your broadband is only like $15 or
so today. Let's lobby the lawmakers to make it mandatory to ship one of
those if you ship a box with windows on it to a customer :-) Or at least
ship the recovery CDs with SP2 preinstalled (which has a firewall that's
definitlyi enough to deal with *that* threat pre-installed).

But. That's not really what this thread is about. I thought it was
reasonably well established that even *IF* SPF worked the way it's
supposed to (I'm not getting into that discussion, this is clearly the
wrong forum for that), it's not appropriate for the postgresql.org
domain specifically because we have several users relaying through a
whole set of different MXes.


> The attackers, including spam operators, build networks of
> _thousands_ of these things.  You can have such a pre-built
> net for your own use for next to no money, or build your own
> for very little effort with downloadable tools floating
> around the Net.  Every one of those machines will be
> authenticated to its mail domain; and, if the machine is
> sending spam, then that spam is authenticated as well as any
> other mail from the domain is.

Hey, maybe we can set up a version of PostgreSQL that can run
distributed across one of these zombie nets? Talk about processing power
for your queries. Maybe I should speak to the bizgres guys about that.


//Magnus

Re: [CORE] SPF Record ...

From
Peter Eisentraut
Date:
Marc G. Fournier wrote:
> Huh??  If gmx.net had an SPF record that stated that only gmx.net and
> its MXs were authoritative sources of mail for their domain, and I
> send something through hub.org as peter_e@gmx.net, the receiving
> server, if it checks/honors SPF, would end up rejecting it as spam

What does that have to do with anything?  If _you_ send email as
peter_e@gmx.net through any host, you are impersonanting.  If I am
sending any @gmx.net mail through any host other than the one
designated by gmx.net I am running afoul of SPF, but I am not
impersonating.  Those are two completely different things.

This is basically the difference between what return address you write
on a letter and what postal service you use.  You are presumably a user
of a Canadian return address (your "domain").  If the "domain owner"
(the government?) published an "SPF" record declaring that all Canada
mail must be routed through some carrier or post office, then those
implementing "SPF" on the other end might be inclined to reject all
Canada mail coming through another carrier or post office.  But you
might ask yourself what business the "domain owner" has to say which
way you send your mail, and note that you can still randomly forge your
return address.

--
Peter Eisentraut
http://developer.postgresql.org/~petere/

Re: [CORE] SPF Record ...

From
Peter Eisentraut
Date:
Marc G. Fournier wrote:
> > 1) Spammers can just register their own domain and set up SPF
> > records for that.
>
> An easy way to block spam ... I'd actually *like* that one ... as
> would most blacklists out there ...

Blacklisting problems aside, if you know who is spamming you can already
blacklist them today.  You don't have to wait for SPF to appear.

--
Peter Eisentraut
http://developer.postgresql.org/~petere/

Re: [CORE] SPF Record ...

From
"Marc G. Fournier"
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Sunday, November 19, 2006 15:33:08 -0600 Larry Rosenman <ler@lerctr.org>
wrote:

> Just to add some more to the debate:
> http://david.woodhou.se/why-not-spf.html
> http://www.circleid.com/posts/spf_loses_mindshare/

Thanks Larry ... the first, specifically, is a very good read ...

- ----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org                              MSN . scrappy@hub.org
Yahoo . yscrappy               Skype: hub.org        ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFYpYQ4QvfyHIvDvMRAlXmAKCkAIYJuM6S4/vSnFZyUvNZ0PYVwQCgvMLq
KrGjSdo8vxxE/6TJaLT/Yzc=
=Uuy3
-----END PGP SIGNATURE-----


Re: [CORE] SPF Record ...

From
Jim Nasby
Date:
On Nov 17, 2006, at 2:06 AM, Josh Berkus wrote:
> Marc,
>> Damn, I thought we had set that up for you awhile back ... port 26 on
>> mail.postgresql.org will accept external smtp connections as well
>> as port
>> 25, to get around this ... we have a fair # of clients whose cable
>> ISPs do
>> the same thing :(
>
> Yes, you tried, but the Mariott I was staying at blocked 26 as
> well.  Anyway,
> AuthSMTP is paid for and is reasonably secure.

BTW, most hotels I've been at do provide some means to unblock port
25, the assumption being that if you're clueful enough to accomplish
that, you probably don't have any bots running on your laptop.
There's actually a website you can hit for most of them that will do
it, but I don't remember what it is (I just went the easy route and
opened 587 on my mail server).
--
Jim Nasby                                            jim@nasby.net
EnterpriseDB      http://enterprisedb.com      512.569.9461 (cell)