Обсуждение: SPF Record ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm thinking of adding one to DNS, but after reading up on it, I'm a bit concerned how this might affect some ... specifically, from reading on openspf.org, anyone that is doing email from their desktop, through their ISP, instead of using SMTP AUTH to the server itself, may be affected by this ... I'm not planning on adding SPF to Postfix itself, only to DNS, at this time, so it won't affect incoming, just outgoing ... Since those having @postgresql.org accounts shoudl be limited to these two lists, can anyone comment on a) is this a bad idea? and b) would they be affected because they don't use SMTP AUTH and c) why aren't you using SMTP AUTH? ... Thx ... - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFXVE64QvfyHIvDvMRAntYAJ9bYnHTqo+1/v0Y2kdG+tB0ZFIL3wCgqZ6k E2OesE87aAIEVfdsCLulQtk= =Twi9 -----END PGP SIGNATURE-----
Marc, > Since those having @postgresql.org accounts shoudl be limited to these two > lists, can anyone comment on a) is this a bad idea? and b) would they be > affected because they don't use SMTP AUTH and c) why aren't you using SMTP > AUTH? ... I send SMTP from literally dozens of different IP addresses through josh@postgreSQL.org due to having my laptop on wireless with me wherever I go. How will this work? Can you set an SPF record for AuthSMTP as well? http://www.authsmtp.com/faqs/faq-65.html -- Josh Berkus PostgreSQL @ Sun San Francisco
"Marc G. Fournier" <scrappy@postgresql.org> writes:
> I'm thinking of adding one to DNS, but after reading up on it, I'm a bit
> concerned how this might affect some ...
I'd recommend it. I've had one on sss.pgh.pa.us for a year or two now
and have seen no serious ill effects. I don't currently use SPF for
incoming filtering either, but it makes a good basis for disavowing
forgeries-in-my-name, of which there are all too many :-(
> Since those having @postgresql.org accounts shoudl be limited to these two
> lists, can anyone comment on a) is this a bad idea? and b) would they be
> affected because they don't use SMTP AUTH and c) why aren't you using SMTP
> AUTH? ...
Hmm. What it would mean is that anyone sending mail with a
"From: soandso@postgresql.org" line would have to be sure it went out
through the postgresql.org servers, else it might get bounced. The
question is, would anyone who has a legitimate claim to such a From:
address be inconvenienced to the point of vetoing this? If so why?
+1 on the idea, but am willing to listen to objections...
regards, tom lane
Marc, > > Since those having @postgresql.org accounts shoudl be limited to these > > two lists, can anyone comment on a) is this a bad idea? and b) would they > > be affected because they don't use SMTP AUTH and c) why aren't you using > > SMTP AUTH? ... > > I send SMTP from literally dozens of different IP addresses through > josh@postgreSQL.org due to having my laptop on wireless with me wherever I > go. How will this work? Or more to the point: I don't understand what SMTP AUTH is. Googling for a definition leaves me unenlightened. Can some one explain how it works? -- Josh Berkus PostgreSQL @ Sun San Francisco
Tom, > Not an issue, I think. The point here is that if you send an email that > claims to be "From: josh@postgreSQL.org", it'll have to actually go > through the postgresql.org servers, else SPF-aware recipients might > think it forged. If you are trying to send it *directly* to the > recipients you might have a problem, but that seems like a pretty crummy > mail setup for a wireless laptop anyway. Ah, ok, not an issue then. Except that Marc would need to set up an SPF rule for AuthSMTP, which I often have to use on the road. But that's easy enough. However, you should give me time to contact all of the Regional Contacts and warn them. ON SECOND THOUGHT, can we please *not* do this 2 weeks before a release? I'm just having horrible thoughts of all of the Regional Contacts being locked out of their e-mail ... perhaps we could do it in late December? -- Josh Berkus PostgreSQL @ Sun San Francisco
Josh Berkus <josh@agliodbs.com> writes:
> ON SECOND THOUGHT, can we please *not* do this 2 weeks before a release?
That's a fair point. Let's plan to do this late December, or January?
regards, tom lane
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Thursday, November 16, 2006 22:15:07 -0800 Josh Berkus <josh@agliodbs.com> wrote: > Marc, > >> Since those having @postgresql.org accounts shoudl be limited to these two >> lists, can anyone comment on a) is this a bad idea? and b) would they be >> affected because they don't use SMTP AUTH and c) why aren't you using SMTP >> AUTH? ... > > I send SMTP from literally dozens of different IP addresses through > josh@postgreSQL.org due to having my laptop on wireless with me wherever I > go. How will this work? How are you sending it? I thought you had your SMTP Server settings set to mail.postgresql.org and were sending it through there ... no? > Can you set an SPF record for AuthSMTP as well? > http://www.authsmtp.com/faqs/faq-65.html I can add it ... but is anyone using it? And, if so ... why when you could do it for free now? - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFXWFr4QvfyHIvDvMRAs5FAKDdGw/IXJ9z3YVCtyy0xVJg66n46ACeIj4J LdwyRWW6/SsaGttUHWNaqqk= =JPXT -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Thursday, November 16, 2006 22:21:45 -0800 Josh Berkus <josh@agliodbs.com> wrote: > Marc, > >> > Since those having @postgresql.org accounts shoudl be limited to these >> > two lists, can anyone comment on a) is this a bad idea? and b) would they >> > be affected because they don't use SMTP AUTH and c) why aren't you using >> > SMTP AUTH? ... >> >> I send SMTP from literally dozens of different IP addresses through >> josh@postgreSQL.org due to having my laptop on wireless with me wherever I >> go. How will this work? > > Or more to the point: I don't understand what SMTP AUTH is. Googling for a > definition leaves me unenlightened. Can some one explain how it works? All our mail servers (@hub.org) are closed relays ... you can't send email through them *unless* you use SMTP AUTH to authenticate yourself as being a legit user ... I don't know what mail reader you are using, and they call it differently on each, but when you setup your SMTP Server for josh@postgresql.org account settings, there should be a check box for 'SMTP AUTH' or 'Require Authentication for SMTP' or something like that ... Then, when you connect to mail.postgresql.org to *send* an email, the first thing it will do is use your josh@postgresql.org / passwd to authenticate you as a valid user to relay through the server and allow you to send ... - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFXWIa4QvfyHIvDvMRAt6qAKDWYsKmOk9j0qLJejz78ofVNVUNOgCeIsiJ jiUToMKjkSSiVJcX8bconWE= =SYJJ -----END PGP SIGNATURE-----
Marc, > > Can you set an SPF record for AuthSMTP as well? > > http://www.authsmtp.com/faqs/faq-65.html > > I can add it ... but is anyone using it? And, if so ... why when you could > do it for free now? I am. Because a lot of hotels and free wireless sites block port 25. -- Josh Berkus PostgreSQL @ Sun San Francisco
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --On Thursday, November 16, 2006 22:39:22 -0800 Josh Berkus
<josh@agliodbs.com>
wrote:
> However, you should give me time to contact all of the Regional Contacts and
> warn them.
>
> ON SECOND THOUGHT, can we please *not* do this 2 weeks before a release? I'm
> just having horrible thoughts of all of the Regional Contacts being locked
> out of their e-mail ... perhaps we could do it in late December?\
Not a problem ... I can also set it so that there are various levels of
'checks' ... for instance, all I'm using right now is ?all, which is a softfail
vs an absolute one ... apparently this lets the email through to something like
Spamassassin, who can then use it for scoring purposes (if I understand it
correctly) ...
neutral: The SPF record specifies explicitly that nothing can be said about
validity
softfail: The SPF record has designated the host as NOT being allowed to send
but
is in transition
fail: The SPF record has designated the host as NOT being allowed to send
Now, personally, I'm not 100% certain what use 'neutral' is, but, again, if I'm
reading things right ...
If I do something like:
a mx ?all
what it says is that all email that comes either from the IP of
mail.postgresql.org, or its listed MX servers will pass, no questions asked ...
?all will pass, but in such a way that something like spamassassin scores
differently then if it did come from 'a / mx' ...
As I said at the top though, I'm not in a big rush, just want to do it as it
should help, as Tom mentions, keep the spam down somewhat ...
- ----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org MSN . scrappy@hub.org
Yahoo . yscrappy Skype: hub.org ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)
iD8DBQFFXWQ74QvfyHIvDvMRAmTmAKDaigMCKxmMiBXVqYcmniN9sheDMACcCiK+
K0NahFV1SIQcv9TTo53mHyk=
=spsM
-----END PGP SIGNATURE-----
Hi Josh, On Thu, 2006-11-16 at 22:21 -0800, Josh Berkus wrote: > > I send SMTP from literally dozens of different IP addresses through > > josh@postgreSQL.org due to having my laptop on wireless with me > wherever I > > go. How will this work? > > Or more to the point: I don't understand what SMTP AUTH is. Googling > for a definition leaves me unenlightened. Can some one explain how it > works? http://en.wikipedia.org/wiki/SMTP-AUTH You login to the server via a valid user/pass; and it lets you relay through that server. It is useful it you are travelling and/or using different networks during the day. Cheers, -- The PostgreSQL Company - Command Prompt, Inc. 1.503.667.4564 PostgreSQL Replication, Consulting, Custom Development, 24x7 support Managed Services, Shared and Dedicated Hosting Co-Authors: plPHP, plPerlNG - http://www.commandprompt.com/
Вложения
Josh Berkus <josh@agliodbs.com> writes:
> I send SMTP from literally dozens of different IP addresses through
> josh@postgreSQL.org due to having my laptop on wireless with me wherever I
> go. How will this work?
Not an issue, I think. The point here is that if you send an email that
claims to be "From: josh@postgreSQL.org", it'll have to actually go
through the postgresql.org servers, else SPF-aware recipients might
think it forged. If you are trying to send it *directly* to the
recipients you might have a problem, but that seems like a pretty crummy
mail setup for a wireless laptop anyway.
regards, tom lane
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Thursday, November 16, 2006 23:26:22 -0800 Josh Berkus <josh@agliodbs.com> wrote: > Marc, > >> > Can you set an SPF record for AuthSMTP as well? >> > http://www.authsmtp.com/faqs/faq-65.html >> >> I can add it ... but is anyone using it? And, if so ... why when you could >> do it for free now? > > I am. Because a lot of hotels and free wireless sites block port 25. Damn, I thought we had set that up for you awhile back ... port 26 on mail.postgresql.org will accept external smtp connections as well as port 25, to get around this ... we have a fair # of clients whose cable ISPs do the same thing :( # telnet mail.postgresql.org 26 Trying 200.46.204.71... Connected to mail.postgresql.org. Escape character is '^]'. 220 postgresql.org ESMTP Postfix Its there if you want to use it ... - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFXWXU4QvfyHIvDvMRAmS/AJ9NWowQzEUe7nGUiWx07VPOlEpvoACeJbdo y8VOUN/+VNrg+83gEj2JXuE= =ZMVR -----END PGP SIGNATURE-----
> >> > Can you set an SPF record for AuthSMTP as well? > >> > http://www.authsmtp.com/faqs/faq-65.html > >> > >> I can add it ... but is anyone using it? And, if so ... > why when you > >> could do it for free now? > > > > I am. Because a lot of hotels and free wireless sites > block port 25. > > Damn, I thought we had set that up for you awhile back ... > port 26 on mail.postgresql.org will accept external smtp > connections as well as port 25, to get around this ... we > have a fair # of clients whose cable ISPs do the same thing :( Just so you know, you're supposed to use port 587 (see http://www.ietf.org/rfc/rfc2476.txt) for SMTP submission, not 26... //Magnus
Marc, > Damn, I thought we had set that up for you awhile back ... port 26 on > mail.postgresql.org will accept external smtp connections as well as port > 25, to get around this ... we have a fair # of clients whose cable ISPs do > the same thing :( Yes, you tried, but the Mariott I was staying at blocked 26 as well. Anyway, AuthSMTP is paid for and is reasonably secure. -- Josh Berkus PostgreSQL @ Sun San Francisco
Marc G. Fournier wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > a) is this a bad idea? Maybe - see below... > b) would they be affected because they don't use SMTP AUTH I use SMTP AUTH + TLS through my own server to avoid having plain text passwords on the wire, and because when I'm sending large emails (ie. pgAdmin test builds) it is a heck of a lot quicker than sending to a server on the other side of the planet which can often be slow at the times I send messages (ie. when you're doing backups). For similar reasons I don't IMAP directly to your servers - it's just too slow. I forward to mine and IMAPS to there. and c) why aren't you using SMTP > AUTH? ... See above. Please don't add SPF for postgresql.org - unless you're willing to add a record for developer.pgadmin.org as well. Regards, Dave.
Am Freitag, 17. November 2006 07:05 schrieb Marc G. Fournier: > I'm thinking of adding one to DNS, but after reading up on it, I'm a bit > concerned how this might affect some I urge you in the strongest possible terms not to do that. As someone who is professionally involved in that issue, I can tell you that SPF is both useless and dangerous. It doesn't stop any spam, but it breaks email protocols, annoys and restricts users for no gain. > Since those having @postgresql.org accounts shoudl be limited to these two > lists, can anyone comment on a) is this a bad idea? and b) would they be > affected because they don't use SMTP AUTH and c) why aren't you using SMTP > AUTH? ... The fallacy is that proponents of SPF believe that users are free to choose their SMTP server. Contrast that with the widely spread and generally welcome (among ISPs and government) practice of blocking outgoing TCP port 25 to address the spam-via-zombies problem (compared against SPF, this practice at least works), you are then left with a situation in which some users cannot send any email at all anymore because their ISP wants email to go this way and the domain administrator wants it to go that way. Ultimately, both of these measures seriously restrict the redundancy feature of the internet (what if your mail server is broken?) and impact the privacy and self-determination of users (what if I don't want ISP 1 or ISP 2 to count my email?). But again, SPF doesn't stop any junk mail, so it's useless anyway. -- Peter Eisentraut http://developer.postgresql.org/~petere/
> > Since those having @postgresql.org accounts shoudl be > limited to these > > two lists, can anyone comment on a) is this a bad idea? and > b) would > > they be affected because they don't use SMTP AUTH and c) why aren't > > you using SMTP AUTH? ... > > The fallacy is that proponents of SPF believe that users are > free to choose their SMTP server. Contrast that with the > widely spread and generally welcome (among ISPs and > government) practice of blocking outgoing TCP port 25 to > address the spam-via-zombies problem (compared against SPF, > this practice at least works), you are then left with a > situation in which some users cannot send any email at all > anymore because their ISP wants email to go this way and the > domain administrator wants it to go that way. Ultimately, > both of these measures seriously restrict the redundancy > feature of the internet (what if your mail server is broken?) > and impact the privacy and self-determination of users (what > if I don't want ISP 1 or ISP 2 to count my email?). > > But again, SPF doesn't stop any junk mail, so it's useless anyway. That's a bit harsh, really. There are a lot of environments where publishing SPF records are *not* harmful, and are *not* restricting the user. For example, any organisation that doesn't use SMTP for mail submission. I have 18,000 users that only everb submit email using RPC or http. We also permit SMTP with authentication over TLS on 587 for those few (I think there are 4 or 5 people out of the 18,000) that use IMAP/s. Publishing SPF records for this organisation was a big win, and it has noticably cut down the spam complaints we've received when spammers have forged from addresses from our domains. Another good example if this is any of the big webmail services. Hotmail users, for example, don't get to do SMTP, so why should you accept a message from a hotmail user that hasn't been verified as a hotmail user? As for redundancy - if you have only one mailserver, then yes, it will limit you. But really, does *anybody* have just one mailserver these days? And naturally a backup relayer that runs on a different ISP. That said, I'm not asying that it's right for postgresql.org, given that it has the type of usage pattern that it does with a lot of "organizationally unrelated" users that all use SMTP for submission. Use the right tool for the job, as always... //Magnus
Am Freitag, 17. November 2006 10:34 schrieb Magnus Hagander: > Publishing SPF records for this organisation was a big win, and > it has noticably cut down the spam complaints we've received when > spammers have forged from addresses from our domains. This is really the only thing that SPF accomplishes: It cuts down on a particular domain/ISP being used for fake email addresses in spam. But a spammer can programmatically pick some other domain that does not publish SPF records. But note that SPF evaluates the *envelope* of the email, so this does not really help the trustworthyness of the sender addresses perceived by the user, and so it doesn't help phishing either. So in the end, SPF achieves merely a convenience for the postmaster of the ISP while providing at best equal but usually worse service for the users. > Another good example if this is any of the big webmail services. Hotmail > users, for example, don't get to do SMTP, so why should you accept a > message from a hotmail user that hasn't been verified as a hotmail user? SPF checks the envelope sender address. That is the address where to send replies and bounces. Certainly Hotmail accepts replies and bounces via SMTP. So if some random mail server sends me mail with MAIL FROM: <blah@hotmail.com>, that is perfectly valid and has nothing to do with whether Hotmail users can submit new emails via SMTP or whether the message is spam or whatever. What you perhaps want is Sender ID or Domain Keys, which are technically more sound solutions, although they have some of the same problems. > As for redundancy - if you have only one mailserver, then yes, it will > limit you. But really, does *anybody* have just one mailserver these > days? Sure, if you have an ISP or company that only allows you to use theirs. -- Peter Eisentraut http://developer.postgresql.org/~petere/
On Fri, Nov 17, 2006 at 02:05:46AM -0400, Marc G. Fournier wrote:
> I'm thinking of adding one to DNS, but after reading up on it, I'm a bit
> concerned how this might affect some ... specifically, from reading on
Please don't. SPF is currently an experimental protocol. There are
significant reasons to suppose that it is a vector for serious denial
of service attacks.
A
--
Andrew Sullivan | ajs@crankycanuck.ca
In the future this spectacle of the middle classes shocking the avant-
garde will probably become the textbook definition of Postmodernism.
--Brad Holland
On Fri, Nov 17, 2006 at 01:15:35AM -0500, Tom Lane wrote:
>
> +1 on the idea, but am willing to listen to objections...
Well, the objection is basically that SPF records are possibly a
vector for large-scale DoS amplification attacks _on the receiving
client end_. So they don't affect you, but they cause a lot of
processing by someone else.
Doug Otis made a presentation about this at IETF67 just last week.
It's somewhat controversial -- the SPF supporters claim that the
attack is no worse than for any other DNS where one controls the
domain.
In any case, though, SPF records are considerably larger than
traditional DNS responses, which means much of the time everyone is
failing back to TCP. Since a number of non-clueful DNS operators
think you can block TCP on port 53, it's also a potential way to
prevent communication.
A
--
Andrew Sullivan | ajs@crankycanuck.ca
The fact that technology doesn't work is no bar to success in the marketplace.
--Philip Greenspun
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Friday, November 17, 2006 09:00:52 +0100 Magnus Hagander <mha@sollentuna.net> wrote: > Just so you know, you're supposed to use port 587 (see > http://www.ietf.org/rfc/rfc2476.txt) for SMTP submission, not 26... Didn't even know there *was* an RFC for that ... but, if there is, wouldn't it be logical that most ISPs wuld block that *as well as* 25? I've made the change though ... - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFXbMi4QvfyHIvDvMRAufHAJ0avaoD9wtohRw1WlAphc4cs/Q+OgCg5PRu 7kKn+xNo53i9+qjJXCuZZ3c= =P4HL -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Friday, November 17, 2006 08:21:07 +0000 Dave Page <dpage@postgresql.org> wrote: > Please don't add SPF for postgresql.org - unless you're willing to add a > record for developer.pgadmin.org as well. 'k, I wasn't planning on doing -all (strict fail), only ~all (softfail) ... so this shouldn't affect either authsmtp.com use, or yours, at least if I'm reading things right ... - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFXbQm4QvfyHIvDvMRAt5qAKCRHs/gXLe/IgUlMJhlA2Vt1UKrZACgufF4 hBNdSarebBFr5/l68JWAh7U= =HAm6 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Friday, November 17, 2006 10:34:19 +0100 Magnus Hagander <mha@sollentuna.net> wrote: > That's a bit harsh, really. There are a lot of environments where > publishing SPF records are *not* harmful, and are *not* restricting the > user. For example, any organisation that doesn't use SMTP for mail > submission. I have 18,000 users that only everb submit email using RPC > or http. We also permit SMTP with authentication over TLS on 587 for > those few (I think there are 4 or 5 people out of the 18,000) that use > IMAP/s. Publishing SPF records for this organisation was a big win, and > it has noticably cut down the spam complaints we've received when > spammers have forged from addresses from our domains. The above was what I was thinking also ... where there is easy and absolute control over the domain in question (ie. all *legit* @hub.org email will go through one of two servers ... I have my postfix setup on my desktop setup so that it relays *thru* the primary one, and its a very restricted list of email users involed), then adding an SPF doesn't hurt ... > That said, I'm not asying that it's right for postgresql.org, given that > it has the type of usage pattern that it does with a lot of > "organizationally unrelated" users that all use SMTP for submission. Use > the right tool for the job, as always... As I answered Dave, I'm quickly starting to think that postgresql.org might be fairly difficult ... but, even then, spf allows for 'exceptions' (ie. authsmtp.com, developer.pgadmin.org, etc) ... so for the very few actual mailboxes involved, it shouldn't be too difficult to do either ... - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFXbY54QvfyHIvDvMRAl2xAJsHRyWFxA1vNa11na6FIh6AFXIKeQCeLCXd IkwnwsXLqzbv16fcwLkIBxI= =+yvm -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Friday, November 17, 2006 11:36:12 +0100 Peter Eisentraut <peter_e@gmx.net> wrote: > Am Freitag, 17. November 2006 10:34 schrieb Magnus Hagander: >> Publishing SPF records for this organisation was a big win, and >> it has noticably cut down the spam complaints we've received when >> spammers have forged from addresses from our domains. > > This is really the only thing that SPF accomplishes: It cuts down on a > particular domain/ISP being used for fake email addresses in spam. But a > spammer can programmatically pick some other domain that does not publish SPF > records. 'k, so the problem isn't SPF, but the fact that its not widely adopted and used ... so, let's *not* adopt it and increase its usage? > So in the end, SPF > achieves merely a convenience for the postmaster of the ISP while providing > at best equal but usually worse service for the users. Where you are losing me here is how this 'worse service' manifests itself ... I can understand some cases where this would be the case (a university campus where students send email while off campus), but for smaller organizations (and I'm sorry, but for the number of mailboxes under @postgresql.org, we are a small organization email wise), being able to impose some sort of policy (even with a small exceptions list), shouldn't cause a degredation in service ... > SPF checks the envelope sender address. That is the address where to send > replies and bounces. Certainly Hotmail accepts replies and bounces via SMTP. > So if some random mail server sends me mail with MAIL FROM: > <blah@hotmail.com>, that is perfectly valid and has nothing to do with > whether Hotmail users can submit new emails via SMTP or whether the message > is spam or whatever. You lost me on this one (or I mis-read Magnus' email) ... but, you can't use IMAP/POP3 to read hotmail, only their webmail interface ... so, the only way to send an email out as an @hotmail.com address *legitimately* would be *thrrough* their servers ... or did I miss something in either of your or Magnus's comments about hotmail ... ? - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFXbgF4QvfyHIvDvMRAlnZAKCRVfeqNaU4t4107TXUYkI2bO8aFgCgjDM6 eVcZ7+lvf6BDkjOFjsqJRgQ= =9c/n -----END PGP SIGNATURE-----
> Since those having @postgresql.org accounts shoudl be limited to these two > lists, can anyone comment on a) is this a bad idea? and b) would they be > affected because they don't use SMTP AUTH and c) why aren't you using SMTP > AUTH? ... > > Are you saying that you don't *require* smtp auth? What about TLS? IMHO you should be requiring SMTP+TLS for all servers and users relaying through any @postgresql.org server. Sincerely, Joshua D. Drake > Thx ... > >
Peter Eisentraut wrote: > Am Freitag, 17. November 2006 07:05 schrieb Marc G. Fournier: > >> I'm thinking of adding one to DNS, but after reading up on it, I'm a bit >> concerned how this might affect some >> > > I urge you in the strongest possible terms not to do that. As someone who is > professionally involved in that issue, I can tell you that SPF is both > useless and dangerous. It doesn't stop any spam, but it breaks email > protocols, annoys and restricts users for no gain. > IMHO, follow KISS. There is no reason to complicate the environment for the purpose of complicating the environment. My question would be, what is it that you feel SPF may do for postgresql.org? Can that same thing be accomplished with other technology? Sincerely, Joshua D. Drake
Marc G. Fournier wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > - --On Friday, November 17, 2006 08:21:07 +0000 Dave Page <dpage@postgresql.org> > wrote: > >> Please don't add SPF for postgresql.org - unless you're willing to add a >> record for developer.pgadmin.org as well. > > 'k, I wasn't planning on doing -all (strict fail), only ~all (softfail) ... so > this shouldn't affect either authsmtp.com use, or yours, at least if I'm > reading things right ... What's the point if it doesn't prevent mail from any servers other than the authorised ones? Regards, Dave.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Friday, November 17, 2006 05:35:26 -0800 "Joshua D. Drake" <jd@commandprompt.com> wrote: > >> Since those having @postgresql.org accounts shoudl be limited to these two >> lists, can anyone comment on a) is this a bad idea? and b) would they be >> affected because they don't use SMTP AUTH and c) why aren't you using SMTP >> AUTH? ... >> >> > Are you saying that you don't *require* smtp auth? We require SMTP AUTH for anyone wishing to relay through any of our servers, yes ... we don't run open relays *shiver* My question above was directed towards ppl like JoshB, whom I know are on the road and sending email, as to whether they are doing SMTP AUTH against mail.postgresql.org, or using some other means ... - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFXb7I4QvfyHIvDvMRAvljAJ93fEGBUN3XmNBCzWDC+2wL9PgGNACeKnqX annXVuu33RZFHG6l/lDXhkA= =m82Q -----END PGP SIGNATURE-----
Am Freitag, 17. November 2006 14:24 schrieb Marc G. Fournier: > 'k, so the problem isn't SPF, but the fact that its not widely adopted and > used ... so, let's *not* adopt it and increase its usage? The problem is that the collateral damage imposed by SPF by far outweighs the benefits, so informed people don't use it. In addition, the benefits are solely on the provider side and the damage is mostly on the user side, so as a matter of providing quality service, sensible ISPs wouldn't use it. > Where you are losing me here is how this 'worse service' manifests itself > ... I can understand some cases where this would be the case (a university > campus where students send email while off campus), but for smaller > organizations (and I'm sorry, but for the number of mailboxes under > @postgresql.org, we are a small organization email wise), being able to > impose some sort of policy (even with a small exceptions list), shouldn't > cause a degredation in service ... Certainly you can doctor up endless exceptions, if you are prepared to speedily integrate the evolving list of mail servers that I choose to use. But I don't see why such complications would be necessary. SPF doesn't solve any problems that I can recognize, or for that matter that you have defined here. In more broader terms, this is a matter of principle. There are already too many supposedly good ideas around that disturb email traffic and Internet privacy. I don't see why you want to be on the forefront of making things worse. > You lost me on this one (or I mis-read Magnus' email) ... but, you can't > use IMAP/POP3 to read hotmail, only their webmail interface ... so, the > only way to send an email out as an @hotmail.com address *legitimately* > would be *thrrough* their servers That is only true for some new definition of "legitimate" which I'm interested to learn. -- Peter Eisentraut http://developer.postgresql.org/~petere/
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --On Friday, November 17, 2006 13:50:04 +0000 Dave Page <dpage@postgresql.org>
wrote:
> Marc G. Fournier wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>>
>> - --On Friday, November 17, 2006 08:21:07 +0000 Dave Page
>> <dpage@postgresql.org> wrote:
>>
>>> Please don't add SPF for postgresql.org - unless you're willing to add a
>>> record for developer.pgadmin.org as well.
>>
>> 'k, I wasn't planning on doing -all (strict fail), only ~all (softfail) ...
>> so this shouldn't affect either authsmtp.com use, or yours, at least if I'm
>> reading things right ...
>
> What's the point if it doesn't prevent mail from any servers other than the
> authorised ones?
To be honest ... that is actually one question that I was starting to wonder
... what we'd end up wanting to do would be something like:
v=spf1 a mx include:authsmtp.com include:developer.pgadmin.org -all
Once we were sure we had addressed all the various include:'s ... the ?all
would be an intermidiary step ...
What actually started all of this, as an fyi, is that apparently places like
hotmail are using SPFs (and lack of them) for filtering purposes ... so what
we'd be publishing, for instance, with the above, for some place like hotmail,
would be akin to:
trust everything coming from 200.46.204.71 + postgresql.org's MX records +
authsmtp.com + developer.pgadmin.org, but feel free to question everything
else
I believe that stuff like Spamassassin also makes use of it for similar
purposes ... if SPF shows that the sending server is questionable (?all), then
score it higher then if its considered a "Trusted source", as determined by the
domain owners ...
Its basically us advertising what hosts we acknowledge as being legit senders
of @postgresql.org email ... anything else is questionable and should be dealt
with accordingly ... if we go to -all, then we're saying that 'anythign else is
pure garbage' ...
Again, this is based on what I've read so far ...
- ----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org MSN . scrappy@hub.org
Yahoo . yscrappy Skype: hub.org ICQ . 7615664
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)
iD8DBQFFXcGq4QvfyHIvDvMRAusUAJ4jWOjcpwdYONZ3+1ltK9seTeMx1QCg4PyN
o/MZW/PieFmqLOgPXORaT/Q=
=eYQN
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Friday, November 17, 2006 15:03:00 +0100 Peter Eisentraut <peter_e@gmx.net> wrote: >> You lost me on this one (or I mis-read Magnus' email) ... but, you can't >> use IMAP/POP3 to read hotmail, only their webmail interface ... so, the >> only way to send an email out as an @hotmail.com address *legitimately* >> would be *thrrough* their servers > > That is only true for some new definition of "legitimate" which I'm > interested to learn. If the only way I can read @hotmail.com email is to login to hotmail.com's web interface, then for what legitimate reason would I setup my desktop mail reader to pretend I'm @hotmail.com? - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFXcJ+4QvfyHIvDvMRAi2zAKDanz9uM/qJM/qxIn7IwwwXiyMHAQCgx08a NHdHS85zZluly85Qk/jP+wA= =0NZP -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Friday, November 17, 2006 15:03:00 +0100 Peter Eisentraut <peter_e@gmx.net> wrote: > Certainly you can doctor up endless exceptions, if you are prepared to > speedily integrate the evolving list of mail servers that I choose to use. Unless I've mis-read something, the above only applies if we went totally strict and used -all ... as long as we used ?all, you wouldn't be affected at all, since we'd be acknowledging that other hosts could send, but that we know that *our* registered IPs (a / mx) *do* send ... - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFXcM14QvfyHIvDvMRAjFDAJ9uIJuOSyo3sYuNp0xQ172DFZadugCeP6Y7 PWMv0TxKDQSf8OnY1tT4pNY= =VkAm -----END PGP SIGNATURE-----
On Fri, Nov 17, 2006 at 10:12:05AM -0400, Marc G. Fournier wrote:
> strict and used -all ... as long as we used ?all, you wouldn't be affected at
> all, since we'd be acknowledging that other hosts could send, but that we know
> that *our* registered IPs (a / mx) *do* send ...
IMO, that's the worst of all worlds. Effectively, since mail can
(according to what you register) legitmately come from elsewhere,
then there's no benefit to other users, because they have to accept
non-SPF mail anyway. All it tells people is that mail that came from
you, well, came from you. But if what you are trying to defend
against is someone hijacking your IP, then you need something other
than SPF. DNSSEC comes to mind.
A
--
Andrew Sullivan | ajs@crankycanuck.ca
I remember when computers were frustrating because they *did* exactly what
you told them to. That actually seems sort of quaint now.
--J.D. Baldwin
On Fri, Nov 17, 2006 at 09:03:29AM -0400, Marc G. Fournier wrote:
> Didn't even know there *was* an RFC for that ... but, if there is, wouldn't it
> be logical that most ISPs wuld block that *as well as* 25? I've made the
> change though ...
No. The whole point of that port is that it offers a different,
authenticated service. So it makes blocking port 25 "legitimate" (as
legitmate as such a solution ever is) because there's an
authenticated way to get there instead.
A
--
Andrew Sullivan | ajs@crankycanuck.ca
When my information changes, I alter my conclusions. What do you do sir?
--attr. John Maynard Keynes
On Fri, Nov 17, 2006 at 10:05:29AM -0400, Marc G. Fournier wrote:
>
> What actually started all of this, as an fyi, is that apparently places like
> hotmail are using SPFs (and lack of them) for filtering purposes ... so what
You should be aware that _part_ of the reason hotmail is doing SPF is
because our friends at MS are busily integrating Yet Another Way to
break the previously-working Internet in their systems. And as
usual, some bright young kids at MS went away, wrote some stuff up
as something they wanted to do, and more or less refused to listen to
people who'd seen lots of damage inflicted by previous, quick
standards efforts.
SPF is _extremely_ controversial among the RFC-writing crowd. The
surest way to hijack a meeting right now is to open an SPF (or its
cousin, DKIM -- someone famous in SMTP circles said to me in San
Diego that the best thing he could think to say about DKIM was that
it wasn't SPF) discussion.
A
--
Andrew Sullivan | ajs@crankycanuck.ca
A certain description of men are for getting out of debt, yet are
against all taxes for raising money to pay it off.
--Alexander Hamilton
Am Freitag, 17. November 2006 15:12 schrieb Marc G. Fournier: > Unless I've mis-read something, the above only applies if we went totally > strict and used -all ... as long as we used ?all, you wouldn't be affected > at all, since we'd be acknowledging that other hosts could send, but that > we know that *our* registered IPs (a / mx) *do* send ... Well, sure, but then this whole construction is zero purpose. -- Peter Eisentraut http://developer.postgresql.org/~petere/
Am Freitag, 17. November 2006 15:09 schrieb Marc G. Fournier: > If the only way I can read @hotmail.com email is to login to hotmail.com's > web interface, then for what legitimate reason would I setup my desktop > mail reader to pretend I'm @hotmail.com? The fact that you are sending email from, say, your desktop with an envelope sender address of <something@hotmail.com> doesn't mean that "you are @hotmail.com". It means that replies should go to that address. There is nothing wrong with that construction. (Of course, the real-life use might be limited, but with postgresql.org or for that matter mostly everyone besides hotmail.com, there certainly are varied ways to read email, so that argument is moot for our purposes anyway.) -- Peter Eisentraut http://developer.postgresql.org/~petere/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Friday, November 17, 2006 07:00:23 -0500 Andrew Sullivan <ajs@crankycanuck.ca> wrote: > On Fri, Nov 17, 2006 at 02:05:46AM -0400, Marc G. Fournier wrote: >> I'm thinking of adding one to DNS, but after reading up on it, I'm a bit >> concerned how this might affect some ... specifically, from reading on > > Please don't. SPF is currently an experimental protocol. There are > significant reasons to suppose that it is a vector for serious denial > of service attacks. Please elaborate on this one and/or provide some sort of links to read up on it through ... I haven't been able to find anything negative online yet about it :( - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFXmFo4QvfyHIvDvMRAuy7AKCm1vf3RQrv3SuPedxwIeHqxqKFoQCbBFHx EEEBVs3FEMPVS5UhM9bRG5w= =M+N0 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Friday, November 17, 2006 07:05:24 -0500 Andrew Sullivan <ajs@crankycanuck.ca> wrote: > On Fri, Nov 17, 2006 at 01:15:35AM -0500, Tom Lane wrote: >> >> +1 on the idea, but am willing to listen to objections... > > Well, the objection is basically that SPF records are possibly a > vector for large-scale DoS amplification attacks _on the receiving > client end_. So they don't affect you, but they cause a lot of > processing by someone else. But isn't that only if the receiving end has implemented an SPF policy? SPF records aren't even checked if postfix (or the other MTAs) are configured to check for it ... no? > In any case, though, SPF records are considerably larger than > traditional DNS responses, which means much of the time everyone is > failing back to TCP. Since a number of non-clueful DNS operators > think you can block TCP on port 53, it's also a potential way to > prevent communication. 'lack of a clue' seems to be a bad reason to not use SPF, no? And, please note that I wasn't suggesting *we* check SPF, only that we provide an SPF record in our DNS for those that do check it ... - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFXmMA4QvfyHIvDvMRAnBsAKCGb7g9Gty2ykzHv7+hvrhFRb1MegCgq8Mg pB5mpSjT3LLNhDJBzZaOON4= =SLkK -----END PGP SIGNATURE-----
On 17 Nov 2006 at 21:33, Marc G. Fournier wrote: > > > --On Friday, November 17, 2006 07:05:24 -0500 Andrew Sullivan > <ajs@crankycanuck.ca> wrote: > > > On Fri, Nov 17, 2006 at 01:15:35AM -0500, Tom Lane wrote: > >> > >> +1 on the idea, but am willing to listen to objections... > > > > Well, the objection is basically that SPF records are possibly a > > vector for large-scale DoS amplification attacks _on the receiving > > client end_. So they don't affect you, but they cause a lot of > > processing by someone else. > > But isn't that only if the receiving end has implemented an SPF policy? SPF > records aren't even checked if postfix (or the other MTAs) are configured to > check for it ... no? Correct. > > In any case, though, SPF records are considerably larger than > > traditional DNS responses, which means much of the time everyone is > > failing back to TCP. Since a number of non-clueful DNS operators > > think you can block TCP on port 53, it's also a potential way to > > prevent communication. > > 'lack of a clue' seems to be a bad reason to not use SPF, no? And, please note > that I wasn't suggesting *we* check SPF, only that we provide an SPF record in > our DNS for those that do check it ... Noted. That is what was proposed. -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php
Marc G. Fournier wrote: > please note that I wasn't suggesting *we* check SPF, only that we > provide an SPF record in our DNS for those that do check it ... By publishing an SPF record you are saying that all mail using @postgresql.org domains must go over a particular mail server, but you haven't offered any reason so far why that would have to be so. -- Peter Eisentraut http://developer.postgresql.org/~petere/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Saturday, November 18, 2006 18:12:22 +0100 Peter Eisentraut <peter_e@gmx.net> wrote: > Marc G. Fournier wrote: >> please note that I wasn't suggesting *we* check SPF, only that we >> provide an SPF record in our DNS for those that do check it ... > > By publishing an SPF record you are saying that all mail using > @postgresql.org domains must go over a particular mail server That is not true .. that is only true if we publish -all ... if we publish ?all, we are saying that anything coming from "a mx" are *definitely* from @postgresql.org, and that from other sources they *might* be ... with ?all, it becomes more a means of Scoring for spam filters like Spamassassin then anything else ... - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFX0Um4QvfyHIvDvMRAu4qAJ9IQMy0A2+oXoXTpNUTSr2scJyU4gCeOPTg AxOt9jLUuw6OAWP4xpxkFys= =cS6G -----END PGP SIGNATURE-----
Hello,
My question is:
What problem are we trying to solve by using SPF?
Sincerely,
Joshua D. Drake
--
=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
On 18 Nov 2006 at 11:29, Joshua D. Drake wrote: > Hello, > > My question is: > > What problem are we trying to solve by using SPF? And SPF record is not for us. It is for others. An SPF record tells other people where our email is [most likely] to be coming from. It helps them to design spam detection techniques. When combined with other information, it helps them to draw a conclusion as to whether or not a given email is spam. -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php
On Sat, 2006-11-18 at 15:44 -0500, Dan Langille wrote:
> On 18 Nov 2006 at 11:29, Joshua D. Drake wrote:
>
> > Hello,
> >
> > My question is:
> >
> > What problem are we trying to solve by using SPF?
>
> And SPF record is not for us. It is for others.
>
> An SPF record tells other people where our email is [most likely] to
> be coming from. It helps them to design spam detection techniques.
> When combined with other information, it helps them to draw a
> conclusion as to whether or not a given email is spam.
O.k. and is OpenSPF the definitive source for information on it?
Honestly, the whole thing sounds pretty pointless at least at this
juncture. I am not bashing the technology but I don't really see a
reason for it.
Sincerely,
Joshua D. Drake
--
=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
On 18 Nov 2006 at 12:52, Joshua D. Drake wrote: > On Sat, 2006-11-18 at 15:44 -0500, Dan Langille wrote: > > On 18 Nov 2006 at 11:29, Joshua D. Drake wrote: > > > > > Hello, > > > > > > My question is: > > > > > > What problem are we trying to solve by using SPF? > > > > And SPF record is not for us. It is for others. > > > > An SPF record tells other people where our email is [most likely] to > > be coming from. It helps them to design spam detection techniques. > > When combined with other information, it helps them to draw a > > conclusion as to whether or not a given email is spam. > > O.k. and is OpenSPF the definitive source for information on it? I do not know who is the definite source. > Honestly, the whole thing sounds pretty pointless at least at this > juncture. I am not bashing the technology but I don't really see a > reason for it. Good! Then you'd agree, there's no harm in publishing our SPF records vis DNS and letting others use it. -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php
> > O.k. and is OpenSPF the definitive source for information on it?
>
> I do not know who is the definite source.
>
> > Honestly, the whole thing sounds pretty pointless at least at this
> > juncture. I am not bashing the technology but I don't really see a
> > reason for it.
>
> Good! Then you'd agree, there's no harm in publishing our SPF
> records vis DNS and letting others use it.
My only argument would be *if* there is additional administrative
overhead. If not.. I a really don't care :). If Marc wants to use it,
have at it.
Sincerely,
Joshua D. Drake
>
--
=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
All, Just as a reminder, please let's not do *anything* to the mail servers until at least ten days after the 8.2 release. Thanks. -- Josh Berkus PostgreSQL @ Sun San Francisco
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Saturday, November 18, 2006 13:19:43 -0800 Josh Berkus <josh@agliodbs.com> wrote: > All, > > Just as a reminder, please let's not do *anything* to the mail servers until > at least ten days after the 8.2 release. Thanks. I believe the thought was to wait until the start of January (unless, of course, 8.2 somehow gets pushed back that far) ... which should be a bit more then 10 days after the release ... - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFX3oi4QvfyHIvDvMRAtMSAKDpAhLz1c0F6u5erITqB30k1VviQwCfa/Vp jwyU90XdmxbEw4Urbxt7ueE= =1ilr -----END PGP SIGNATURE-----
On 18 Nov 2006 at 13:09, Joshua D. Drake wrote: > > > > O.k. and is OpenSPF the definitive source for information on it? > > > > I do not know who is the definite source. > > > > > Honestly, the whole thing sounds pretty pointless at least at this > > > juncture. I am not bashing the technology but I don't really see a > > > reason for it. > > > > Good! Then you'd agree, there's no harm in publishing our SPF > > records vis DNS and letting others use it. > > My only argument would be *if* there is additional administrative > overhead. If not.. I a really don't care :). If Marc wants to use it, > have at it. It is a DNS record. It only requires updating if you substantially change your existing MX strategy. -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php
Marc G. Fournier wrote: > That is not true .. that is only true if we publish -all ... if we > publish ?all, we are saying that anything coming from "a mx" are > *definitely* from @postgresql.org, and that from other sources they > *might* be ... with ?all, it becomes more a means of Scoring for spam > filters like Spamassassin then anything else ... You continue to operate under the assumption that SPF has something to do with spam. It doesn't. SPF enforces that email travels across approved hosts. Spammers who hijack dial-up PCs (currently the majority of junk mail) can also make their email travel across approved hosts. Spammers can also set up their own SPF records to fool your scoring system. Go to the SPF web site. It says: "SPF: A Sender Policy Framework to Prevent Email Forgery". That's what it does. It prevents that spammer A can claim that he is spammer B. And it doesn't even do that very well. -- Peter Eisentraut http://developer.postgresql.org/~petere/
On Sat, Nov 18, 2006 at 12:52:49PM -0800, Joshua D. Drake wrote:
> O.k. and is OpenSPF the definitive source for information on it?
No. The IETF is the definitive source for information on it, because
that's where the standard is actually published.
A
--
Andrew Sullivan | ajs@crankycanuck.ca
The whole tendency of modern prose is away from concreteness.
--George Orwell
On Sat, Nov 18, 2006 at 04:01:45PM -0500, Dan Langille wrote:
> > juncture. I am not bashing the technology but I don't really see a
> > reason for it.
>
> Good! Then you'd agree, there's no harm in publishing our SPF
> records vis DNS and letting others use it.
That is a _really bad_ argument. You cannot infer "do X" from "I
don't know whether X is harmful or not."
A
--
Andrew Sullivan | ajs@crankycanuck.ca
"The year's penultimate month" is not in truth a good way of saying
November.
--H.W. Fowler
On Fri, Nov 17, 2006 at 09:33:52PM -0400, Marc G. Fournier wrote:
> > client end_. So they don't affect you, but they cause a lot of
> > processing by someone else.
>
> But isn't that only if the receiving end has implemented an SPF policy? SPF
> records aren't even checked if postfix (or the other MTAs) are configured to
> check for it ... no?
That's the point. If Doug Otis is right, by _you implementing_ SPF,
you become the potential source for a large-multiple amplification
DoS attack, on someone who is checking SPF. If your response is,
"Well, they shouldn't check SPF then," my question is then, "So why
put the record in DNS?"
In any case, SPF is _experimental_. Experimental protocols are
released that way because there is significant suggestion in the
community that the protocol might actually be harmful to the
Internet.
> 'lack of a clue' seems to be a bad reason to not use SPF, no?
No. The DNS is a distributed database used by everyone on the
Internet, the users of which you don't even know and cannot be sure
you can learn about. If there is any place at all to be conservative
in what you send, it's the DNS.
A
--
Andrew Sullivan | ajs@crankycanuck.ca
If they don't do anything, we don't need their acronym.
--Josh Hamilton, on the US FEMA
On Sat, Nov 18, 2006 at 01:38:45PM -0400, Marc G. Fournier wrote:
> That is not true .. that is only true if we publish -all ... if we publish
> ?all, we are saying that anything coming from "a mx" are *definitely* from
> @postgresql.org, and that from other sources they *might* be ... with ?all, it
> becomes more a means of Scoring for spam filters like Spamassassin then
> anything else ...
You seem to have missed the part of the discussion where we pointed
out that that strategy provides _no benefit at all_ in SPF terms.
Anyone can still send mail with the postgresql.org domain on it,
which means that all the SPF machinery at the other end has to be
used (including all the additional load on the global DNS), for
exactly no guarantees.
A
--
Andrew Sullivan | ajs@crankycanuck.ca
Unfortunately reformatting the Internet is a little more painful
than reformatting your hard drive when it gets out of whack.
--Scott Morris
Marc G. Fournier wrote: > "SpamAssassin 3.0 supports SPF to detect and penalize header > forgery." I am painfully aware that SpamAssassin applies SPF. But that just shows that they are equally clueless because what they consider "header forgery" is another man's idea of privacy, freedom, and self-determination. -- Peter Eisentraut http://developer.postgresql.org/~petere/
On Sun, Nov 19, 2006 at 12:45:48PM -0400, Marc G. Fournier wrote:
> "SpamAssassin 3.0 supports SPF to detect and penalize header forgery."
If your main goal is to reduce spam, _point finale_, then SPF will
help. If your main goal is to reduce spam _while not causing
unwanted side-effects_, then spamassassin's approach above does not
meet the goal.
The problems with SPF are subtle, and by no means apparent at first
glance. SPF _looks_ like a good thing, if only everyone plays nice.
As a matter of fact, though, it causes damage to the global DNS, and
doesn't actually solve the problem it should given the way people
actually use email. Moreover, the "interim" measures that people
have put into the protocol for transition purposes turn out to make
it worse than useless: all the cost has to be paid, and none of the
putative benefit is delivered. Even DKIM is a better answer than
this (and I'm no fan).
Compare this to the way MySQL delivers the enum data type. "Causes
no damage. Just an extension," some say. But the actual effects in
the field are different: it causes sloppy, poorly generalised design,
and miseducates people about how SQL works. It shouldn't be used,
because there was already a good, more general way to do the same
thing under SQL. In my view, SPF is the same sort of damage, and
shouldn't be used.
A
--
Andrew Sullivan | ajs@crankycanuck.ca
This work was visionary and imaginative, and goes to show that visionary
and imaginative work need not end up well.
--Dennis Ritchie
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Sunday, November 19, 2006 09:28:17 +0100 Peter Eisentraut <peter_e@gmx.net> wrote: > Marc G. Fournier wrote: >> That is not true .. that is only true if we publish -all ... if we >> publish ?all, we are saying that anything coming from "a mx" are >> *definitely* from @postgresql.org, and that from other sources they >> *might* be ... with ?all, it becomes more a means of Scoring for spam >> filters like Spamassassin then anything else ... > > You continue to operate under the assumption that SPF has something to > do with spam. It doesn't. Then obviously you are not as well-informed as you like to think you are: "SpamAssassin 3.0 supports SPF to detect and penalize header forgery." - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFYIo84QvfyHIvDvMRArlQAJ9rmKMYsjUuKDHvClKS85u47CB9RACfei9h 9eDBWdfJzVRYusa8nKHZy4g= =K/Rk -----END PGP SIGNATURE-----
> > > > You continue to operate under the assumption that SPF has something to > > do with spam. It doesn't. > > Then obviously you are not as well-informed as you like to think you are: > > "SpamAssassin 3.0 supports SPF to detect and penalize header forgery." Marc if your goal is to help eliminate spam or at least ease spam detection, why not focus on other spam products such as Dspam or Razor? Joshua D. Drake > > - ---- > Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) > Email . scrappy@hub.org MSN . scrappy@hub.org > Yahoo . yscrappy Skype: hub.org ICQ . 7615664 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (FreeBSD) > > iD8DBQFFYIo84QvfyHIvDvMRArlQAJ9rmKMYsjUuKDHvClKS85u47CB9RACfei9h > 9eDBWdfJzVRYusa8nKHZy4g= > =K/Rk > -----END PGP SIGNATURE----- > > > ---------------------------(end of broadcast)--------------------------- > TIP 3: Have you checked our extensive FAQ? > > http://www.postgresql.org/docs/faq > -- === The PostgreSQL Company: Command Prompt, Inc. === Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240 Providing the most comprehensive PostgreSQL solutions since 1997 http://www.commandprompt.com/ Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Sunday, November 19, 2006 11:17:33 -0800 "Joshua D. Drake" <jd@commandprompt.com> wrote: >> > >> > You continue to operate under the assumption that SPF has something to >> > do with spam. It doesn't. >> >> Then obviously you are not as well-informed as you like to think you are: >> >> "SpamAssassin 3.0 supports SPF to detect and penalize header forgery." > > Marc if your goal is to help eliminate spam or at least ease spam > detection, why not focus on other spam products such as Dspam or Razor? Actually, we use Spamassassin + Razor + Pyzor + Bayes + Spamcop right now, using Maia Mailguard as a front end ... I have 60k "unconfirmed spam" sitting in the database right now, most of which is scoring >20 ... I go through several hundred a week (the lowest scoring stuff) for all of the mailing lists, so that I'm adding to the Razor/Pyzor/Spamcop/Bayes database ... but that only keeps the mail from the lists, it doesn't keep them from the server(s) ... and I'm not just focusing on @postgresql.org email, but spam as a whole ... How many on this list do anything to contribute to Razory/Pyzor/Spamcop, but make use of Spamassassin? I know until I setup Maia here, that it was just way to much work to report each message individually ... The thing is, 'checking for spam as it comes in' doesn't get rid of, or reduce, the problem ... SPF might not be it either ... but, if (in a perfect world) every mail server forced something like SPF, so that ppl could only send email through a legit mail server (ie. commandprompt.com email through a commandprompt.com mail server, gmx.net mail through a gmx.net mail server, etc) ... would that not reduce the overall spam on the 'Net? I don't know the answer to this, nor do I truly believe anyone here on this list can say with certainty ... all my goal was with adding a simple SPF record was to try and further reduce the possibility of someone using @postgresql.org for spam purposes, as well as providing more information to spam filters as to whether or not email addressed that way should be concerned legit or not ... Until someone devises the 'perfect solution to spam', I would think that a series of 'less then perfect ones' would at least help combat it ... - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFYLCC4QvfyHIvDvMRAtO6AJwOLS1MuQXbEHnuYG1UVMw2Ye+NRgCgnA5A lRujfCHH7PTkTMING9xxbeA= =7G4i -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Sunday, November 19, 2006 18:05:56 +0100 Peter Eisentraut <peter_e@gmx.net> wrote: > Marc G. Fournier wrote: >> "SpamAssassin 3.0 supports SPF to detect and penalize header >> forgery." > > I am painfully aware that SpamAssassin applies SPF. But that just shows > that they are equally clueless because what they consider "header > forgery" is another man's idea of privacy, freedom, and > self-determination. 'k, so if I start sending emails out as peter_e@gmx.net, you'd have no problems with that, sinc it could fall under my idea of 'privacy, freedom and self-determination'? It would affect you, since I know *I* won't be getting the angry messages back, or bounces, and for that reason alone, its generally used by spammers ... Show me an *ethical / legit* reason why I would want to send out email as someone else? I personally can think of absolutely none ... - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFYKvF4QvfyHIvDvMRApFjAJ9rRMornNz0NEHvhLVkpwfxdAag0gCgiYe/ +i/2s0Wz8+iK9pdkASRO4IY= =kxQ8 -----END PGP SIGNATURE-----
> How many on this list do anything to contribute to Razory/Pyzor/Spamcop, but
> make use of Spamassassin? I know until I setup Maia here, that it was just way
> to much work to report each message individually ...
Well to be honest, I only use greylisting and just delete any spam I get
throughout the day.
>
> The thing is, 'checking for spam as it comes in' doesn't get rid of, or reduce,
> the problem ... SPF might not be it either ... but, if (in a perfect world)
> every mail server forced something like SPF, so that ppl could only send email
> through a legit mail server (ie. commandprompt.com email through a
> commandprompt.com mail server, gmx.net mail through a gmx.net mail server, etc)
> ... would that not reduce the overall spam on the 'Net?
Sure but you do have at least one person that is highly qualified to
make his point known, that this is a bad idea (AndrewS).
>
> I don't know the answer to this, nor do I truly believe anyone here on this
> list can say with certainty ... all my goal was with adding a simple SPF record
> was to try and further reduce the possibility of someone using @postgresql.org
> for spam purposes, as well as providing more information to spam filters as to
> whether or not email addressed that way should be concerned legit or not ...
Fair enough but honestly, who cares...? Nobody I know uses SPF and thus
although a good natured, and ethically positive idea, it wouldn't make
much if any difference.
Sincerely,
Joshua D. Drake
--
=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
Marc G. Fournier wrote: > Until someone devises the 'perfect solution to spam', I would think that a > series of 'less then perfect ones' would at least help combat it ... And that's a perfectly fine idea, except when one of those partial solutions can have undesirable side effects. In the case of SPF we've heard of at least two so far: 1) When used without ?all, those scoring messages using SPF may end up blocking legitimate messages from non-listed servers. 2) SPF may be used as a mechanism for DNS attacks. Regards, Dave.
Marc G. Fournier wrote: > The thing is, 'checking for spam as it comes in' doesn't get rid of, > or reduce, the problem ... SPF might not be it either ... but, if (in > a perfect world) every mail server forced something like SPF, so that > ppl could only send email through a legit mail server (ie. > commandprompt.com email through a commandprompt.com mail server, > gmx.net mail through a gmx.net mail server, etc) ... would that not > reduce the overall spam on the 'Net? Not really, because of two reasons: 1) Spammers can just register their own domain and set up SPF records for that. 2) Most spam is sent through zombies, so it passes through the SPF system undetected. -- Peter Eisentraut http://developer.postgresql.org/~petere/
Marc G. Fournier wrote: > 'k, so if I start sending emails out as peter_e@gmx.net, you'd have > no problems with that, That is completely unrelated to the SPF issue. What you are describing is presumably one person impersonating another. But SPF only addresses the path that email takes. You can still pretend to be someone else. -- Peter Eisentraut http://developer.postgresql.org/~petere/
Dave Page wrote: > Marc G. Fournier wrote: > >> Until someone devises the 'perfect solution to spam', I would think >> that a series of 'less then perfect ones' would at least help combat >> it ... > > And that's a perfectly fine idea, except when one of those partial > solutions can have undesirable side effects. In the case of SPF we've > heard of at least two so far: > > 1) When used without ?all, those scoring messages using SPF may end > up blocking legitimate messages from non-listed servers. > > 2) SPF may be used as a mechanism for DNS attacks. > > Regards, Dave. Just to add some more to the debate: http://david.woodhou.se/why-not-spf.html http://www.circleid.com/posts/spf_loses_mindshare/ And others. I respect Suresh a LOT from the anti-spam community, and I've REMOVED my SPF records. I don't think we (PostgreSQL.org) should put an SPF record in place. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Sunday, November 19, 2006 21:53:31 +0100 Peter Eisentraut <peter_e@gmx.net> wrote: > Marc G. Fournier wrote: >> The thing is, 'checking for spam as it comes in' doesn't get rid of, >> or reduce, the problem ... SPF might not be it either ... but, if (in >> a perfect world) every mail server forced something like SPF, so that >> ppl could only send email through a legit mail server (ie. >> commandprompt.com email through a commandprompt.com mail server, >> gmx.net mail through a gmx.net mail server, etc) ... would that not >> reduce the overall spam on the 'Net? > > Not really, because of two reasons: > > 1) Spammers can just register their own domain and set up SPF records > for that. An easy way to block spam ... I'd actually *like* that one ... as would most blacklists out there ... > 2) Most spam is sent through zombies, so it passes through the SPF > system undetected. Please elaborate on this one ... - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFYQtq4QvfyHIvDvMRAl42AJ92LUeNHjvH8ryD1p2UQjQVBIE8BQCfUdLn 8G0LhuiP5nmn1tXsTI0Robo= =QTZK -----END PGP SIGNATURE-----
> > 2) Most spam is sent through zombies, so it passes through the SPF > > system undetected. > > Please elaborate on this one ... Basically most spam isn't sent via a forged header, but sent via a hijacked PC or other method. So the SPF wouldn't help. Sincerely, Joshua D. Drake > > - ---- > Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) > Email . scrappy@hub.org MSN . scrappy@hub.org > Yahoo . yscrappy Skype: hub.org ICQ . 7615664 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (FreeBSD) > > iD8DBQFFYQtq4QvfyHIvDvMRAl42AJ92LUeNHjvH8ryD1p2UQjQVBIE8BQCfUdLn > 8G0LhuiP5nmn1tXsTI0Robo= > =QTZK > -----END PGP SIGNATURE----- > > > ---------------------------(end of broadcast)--------------------------- > TIP 3: Have you checked our extensive FAQ? > > http://www.postgresql.org/docs/faq > -- === The PostgreSQL Company: Command Prompt, Inc. === Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240 Providing the most comprehensive PostgreSQL solutions since 1997 http://www.commandprompt.com/ Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Sunday, November 19, 2006 21:59:53 +0100 Peter Eisentraut <peter_e@gmx.net> wrote: > Marc G. Fournier wrote: >> 'k, so if I start sending emails out as peter_e@gmx.net, you'd have >> no problems with that, > > That is completely unrelated to the SPF issue. What you are describing > is presumably one person impersonating another. But SPF only addresses > the path that email takes. You can still pretend to be someone else. Huh?? If gmx.net had an SPF record that stated that only gmx.net and its MXs were authoritative sources of mail for their domain, and I send something through hub.org as peter_e@gmx.net, the receiving server, if it checks/honors SPF, would end up rejecting it as spam ... the only way it wouldn't is if I could relay *through* gmx.net (I'm assuming that I can't?) so that not only am I impersonating you, but I'm doing it in such a way that the SPF record verifies that it is legit ... - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFYQwK4QvfyHIvDvMRAtXtAJwJeI5eZWCDmL4wjiidVUxwKhcZ4wCdEhjt I9VLt90vSynY3OuTSjQefBQ= =u+x8 -----END PGP SIGNATURE-----
Marc G. Fournier wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > the only way it wouldn't is if I > could relay *through* gmx.net (I'm assuming that I can't?) so that not only am > I impersonating you, but I'm doing it in such a way that the SPF record > verifies that it is legit ... Which is another reason why it doesn't work well - a large percentage (perhaps the majority) of spam is sent through trojans running on poorly secured Windows boxes. If Peter were running such a machine, yes, you as an evil spammer could easily send spam as peter_e@gmx.net through mail.gmx.net. SPF just legitimsed that spam :-( Regards, Dave.
On Mon, Nov 20, 2006 at 08:28:07AM +0000, Dave Page wrote:
> (perhaps the majority) of spam is sent through trojans running on poorly
> secured Windows boxes.
Right. I didn't really want to get into this level of detail on
list, but here we go.
Note that they're not just "poorly secured". They're _default_
Windows boxes. That is, it is now nearly impossible to
download all the patches for a bog-standard WinXP installation before
the machine is compromised. Which means that merely by reinstalling
the operating system, many users are all but guaranteeing that
they'll be part of a botnet in no time. And since the solution to a
lot of Windows problems is "reinstall", you can see what happens.
The attackers, including spam operators, build networks of
_thousands_ of these things. You can have such a pre-built net for
your own use for next to no money, or build your own for very little
effort with downloadable tools floating around the Net. Every one of
those machines will be authenticated to its mail domain; and, if the
machine is sending spam, then that spam is authenticated as well as
any other mail from the domain is.
So, SPF protects somewhat against forged-header spam, at a high cost
to the rest of the Internet. But it doesn't actually protect against
the real current threats at all (the spambot drone armies).
A
--
Andrew Sullivan | ajs@crankycanuck.ca
When my information changes, I alter my conclusions. What do you do sir?
--attr. John Maynard Keynes
On Sun, Nov 19, 2006 at 09:56:58PM -0400, Marc G. Fournier wrote:
> > 1) Spammers can just register their own domain and set up SPF records
> > for that.
>
> An easy way to block spam ... I'd actually *like* that one ... as would most
> blacklists out there ...
You can't update your blacklist fast enough. When you register a
domain these days, it resolves on the Net inside 10 minutes. Better
still, if you're a registrar, if you delete the domain inside 5 days,
you _get your money back_. So you can set up as a registrar for
about $2500. You register domains, put in the SPF records, send your
spam, delete the domain, and your domain is gone before anyone's
blackhole list has even been touched. There _is_ a list of
"recently-registered domains" built by Rick Wesson, but its
resolution is only as good as one day (he can't get the data faster
than that).
A
--
Andrew Sullivan | ajs@crankycanuck.ca
A certain description of men are for getting out of debt, yet are
against all taxes for raising money to pay it off.
--Alexander Hamilton
> > (perhaps the majority) of spam is sent through trojans running on > > poorly secured Windows boxes. > > Right. I didn't really want to get into this level of detail > on list, but here we go. > > Note that they're not just "poorly secured". They're > _default_ Windows boxes. That is, it is now nearly > impossible to download all the patches for a bog-standard > WinXP installation before the machine is compromised. Which > means that merely by reinstalling the operating system, many > users are all but guaranteeing that they'll be part of a > botnet in no time. And since the solution to a lot of > Windows problems is "reinstall", you can see what happens. A standalone firewall-box-thingy for your broadband is only like $15 or so today. Let's lobby the lawmakers to make it mandatory to ship one of those if you ship a box with windows on it to a customer :-) Or at least ship the recovery CDs with SP2 preinstalled (which has a firewall that's definitlyi enough to deal with *that* threat pre-installed). But. That's not really what this thread is about. I thought it was reasonably well established that even *IF* SPF worked the way it's supposed to (I'm not getting into that discussion, this is clearly the wrong forum for that), it's not appropriate for the postgresql.org domain specifically because we have several users relaying through a whole set of different MXes. > The attackers, including spam operators, build networks of > _thousands_ of these things. You can have such a pre-built > net for your own use for next to no money, or build your own > for very little effort with downloadable tools floating > around the Net. Every one of those machines will be > authenticated to its mail domain; and, if the machine is > sending spam, then that spam is authenticated as well as any > other mail from the domain is. Hey, maybe we can set up a version of PostgreSQL that can run distributed across one of these zombie nets? Talk about processing power for your queries. Maybe I should speak to the bizgres guys about that. //Magnus
Marc G. Fournier wrote: > Huh?? If gmx.net had an SPF record that stated that only gmx.net and > its MXs were authoritative sources of mail for their domain, and I > send something through hub.org as peter_e@gmx.net, the receiving > server, if it checks/honors SPF, would end up rejecting it as spam What does that have to do with anything? If _you_ send email as peter_e@gmx.net through any host, you are impersonanting. If I am sending any @gmx.net mail through any host other than the one designated by gmx.net I am running afoul of SPF, but I am not impersonating. Those are two completely different things. This is basically the difference between what return address you write on a letter and what postal service you use. You are presumably a user of a Canadian return address (your "domain"). If the "domain owner" (the government?) published an "SPF" record declaring that all Canada mail must be routed through some carrier or post office, then those implementing "SPF" on the other end might be inclined to reject all Canada mail coming through another carrier or post office. But you might ask yourself what business the "domain owner" has to say which way you send your mail, and note that you can still randomly forge your return address. -- Peter Eisentraut http://developer.postgresql.org/~petere/
Marc G. Fournier wrote: > > 1) Spammers can just register their own domain and set up SPF > > records for that. > > An easy way to block spam ... I'd actually *like* that one ... as > would most blacklists out there ... Blacklisting problems aside, if you know who is spamming you can already blacklist them today. You don't have to wait for SPF to appear. -- Peter Eisentraut http://developer.postgresql.org/~petere/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Sunday, November 19, 2006 15:33:08 -0600 Larry Rosenman <ler@lerctr.org> wrote: > Just to add some more to the debate: > http://david.woodhou.se/why-not-spf.html > http://www.circleid.com/posts/spf_loses_mindshare/ Thanks Larry ... the first, specifically, is a very good read ... - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFYpYQ4QvfyHIvDvMRAlXmAKCkAIYJuM6S4/vSnFZyUvNZ0PYVwQCgvMLq KrGjSdo8vxxE/6TJaLT/Yzc= =Uuy3 -----END PGP SIGNATURE-----
On Nov 17, 2006, at 2:06 AM, Josh Berkus wrote: > Marc, >> Damn, I thought we had set that up for you awhile back ... port 26 on >> mail.postgresql.org will accept external smtp connections as well >> as port >> 25, to get around this ... we have a fair # of clients whose cable >> ISPs do >> the same thing :( > > Yes, you tried, but the Mariott I was staying at blocked 26 as > well. Anyway, > AuthSMTP is paid for and is reasonably secure. BTW, most hotels I've been at do provide some means to unblock port 25, the assumption being that if you're clueful enough to accomplish that, you probably don't have any bots running on your laptop. There's actually a website you can hit for most of them that will do it, but I don't remember what it is (I just went the easy route and opened 587 on my mail server). -- Jim Nasby jim@nasby.net EnterpriseDB http://enterprisedb.com 512.569.9461 (cell)