Thread: Re: [CORE] SPF Record ...

Re: [CORE] SPF Record ...

From
"Dave Page"
Date:

> ------- Original Message -------
> From: "Marc G. Fournier" <scrappy@hub.org>
> To: Peter Eisentraut <peter_e@gmx.net>, pgsql-www@postgresql.org
> Sent: 18/11/06, 17:38:45
> Subject: Re: [pgsql-www] [CORE] SPF Record ...
>
> That is not true .. that is only true if we publish -all ... if we publish
> ?all, we are saying that anything coming from "a mx" are *definitely* from
> @postgresql.org, and that from other sources they *might* be ...

So what's the point then? People either ignore the SPF record, or refuse mail from the 'might be's'.

/D

Re: [CORE] SPF Record ...

From
"Dan Langille"
Date:
On 18 Nov 2006 at 18:12, Dave Page wrote:

>
>
> > ------- Original Message -------
> > From: "Marc G. Fournier" <scrappy@hub.org>
> > To: Peter Eisentraut <peter_e@gmx.net>, pgsql-www@postgresql.org
> > Sent: 18/11/06, 17:38:45
> > Subject: Re: [pgsql-www] [CORE] SPF Record ...
> >
> > That is not true .. that is only true if we publish -all ... if we publish
> > ?all, we are saying that anything coming from "a mx" are *definitely* from
> > @postgresql.org, and that from other sources they *might* be ...
>
> So what's the point then? People either ignore the SPF record, or
> refuse mail from the 'might be's'.

These are inaccurate conclusions.  SPF information helps to draw a
conclusion.  Consider it a points system.    Get so many points for a
might be, none for a definitely.  Get enough points, you're spam.
SPF is most wisely used in conjunction with other information to
reach a conclusion.

--
Dan Langille : Software Developer looking for work
my resume: http://www.freebsddiary.org/dan_langille.php



Re: [CORE] SPF Record ...

From
Peter Eisentraut
Date:
Dan Langille wrote:
> These are inaccurate conclusions.  SPF information helps to draw a
> conclusion.  Consider it a points system.    Get so many points for a
> might be, none for a definitely.  Get enough points, you're spam.
> SPF is most wisely used in conjunction with other information to
> reach a conclusion.

The whole thing is evil technology, as I have previously pointed out,
which is a reason to boycott it.  I regularly get my email blocked by
other community members because of it.

But the application you are describing here is equally stupid.  You are
saying that even though it is -- per SPF record -- OK to send
@postgresql.org via other hosts, you get penalized in your scoring
system for doing so.  So in spite of *no* indication that some email is
spam, you are (partially) rejecting it.  What sense does that make?

--
Peter Eisentraut
http://developer.postgresql.org/~petere/

Re: [CORE] SPF Record ...

From
Dave Page
Date:
Dan Langille wrote:
> On 18 Nov 2006 at 18:12, Dave Page wrote:
>
>>
>>> ------- Original Message -------
>>> From: "Marc G. Fournier" <scrappy@hub.org>
>>> To: Peter Eisentraut <peter_e@gmx.net>, pgsql-www@postgresql.org
>>> Sent: 18/11/06, 17:38:45
>>> Subject: Re: [pgsql-www] [CORE] SPF Record ...
>>>
>>> That is not true .. that is only true if we publish -all ... if we publish
>>> ?all, we are saying that anything coming from "a mx" are *definitely* from
>>> @postgresql.org, and that from other sources they *might* be ...
>> So what's the point then? People either ignore the SPF record, or
>> refuse mail from the 'might be's'.
>
> These are inaccurate conclusions.  SPF information helps to draw a
> conclusion.  Consider it a points system.    Get so many points for a
> might be, none for a definitely.  Get enough points, you're spam.
> SPF is most wisely used in conjunction with other information to
> reach a conclusion.

Yes, so the net result of not running ?all is that you don't block real
spam as a result of SPF any more than you block legitimate mail from one
of the 'allowed but not listed servers'.

Seems to me all that risks is increasing the spam score of legitimate
users who have real reasons for using different outgoing servers.

Regards, Dave.

Re: [CORE] SPF Record ...

From
Dave Page
Date:
Peter Eisentraut wrote:
> Dan Langille wrote:
>> These are inaccurate conclusions.  SPF information helps to draw a
>> conclusion.  Consider it a points system.    Get so many points for a
>> might be, none for a definitely.  Get enough points, you're spam.
>> SPF is most wisely used in conjunction with other information to
>> reach a conclusion.
>
> The whole thing is evil technology, as I have previously pointed out,
> which is a reason to boycott it.  I regularly get my email blocked by
> other community members because of it.
>
> But the application you are describing here is equally stupid.  You are
> saying that even though it is -- per SPF record -- OK to send
> @postgresql.org via other hosts, you get penalized in your scoring
> system for doing so.  So in spite of *no* indication that some email is
> spam, you are (partially) rejecting it.  What sense does that make?

Which is a far clearer way of say what I just wrote in my current
pre-coffee state!!

+1

/D


Re: [CORE] SPF Record ...

From
Andrew Sullivan
Date:
On Sat, Nov 18, 2006 at 03:41:03PM -0500, Dan Langille wrote:
> These are inaccurate conclusions.  SPF information helps to draw a
> conclusion.  Consider it a points system.    Get so many points for a
> might be, none for a definitely.  Get enough points, you're spam.
> SPF is most wisely used in conjunction with other information to
> reach a conclusion.

A bad conclusion, poorly supported by evidence that is costing
everyone on the Internet.

The problem, in my view, with SPF is that it doesn't actually solve
the authentication problem, _plus_ the costs it imposes are borne by
_everyone other than_ the person whose behaviour SPF is supposed to
be trying to prevent.  Note that last bit: SPF is not free -- not
even if you aren't using SPF but happen to perform ANY queries (and
at least 2/5 of the Windows clients in the world do).  But none of
those costs are actually paid by the would-be spammer.

A

--
Andrew Sullivan  | ajs@crankycanuck.ca
Users never remark, "Wow, this software may be buggy and hard
to use, but at least there is a lot of code underneath."
        --Damien Katz