[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: recent spam to this list

Joel Baker writes:
> Many places do hosting of DNS domains (only; no web or mail, etc) for
> absurdly cheap rates ($5/mo in some cases), and allow either DDNS or an
> automateable webpage to do updates with.

I'm aware of these.  While interesting should they start supporting SPF
they are not really essential to anything I'd want to do.

> Your ISP probably doesn't permit outbound connections from dialups to port
> 25...

Actually, it does.  I don't use it though: when sending mail from home I'm
happy to use my ISP's smarthost.

> Not at all uncommon, though it might be worth trying to convince them
> to allow you to do *authenticated* relay from outside.

Authenticated relay is what I meant.  I don't expect or want them to run an
open relay.  It is, however, pointless to try to convince them to change
anything.  They do not listen to customers.  On the other hand, they
enforce no obnoxious policies, don't have silly terms of service, and seem
to be above-average in reliability.

> Mail* has an return path that includes domain names (normally). SMTP
> *sessions* have a source IP. All of the protocols I saw obviously listed
> on the ASRG page (including at least RMX, SPF, and Vixie's proposal) use
> the *claimed* domain (which can be anything), and the *actual* source IP
> (which cannot be forged without having access to the routing hardware in
> between the machines, at which point you can do damned near anything you
> want), to decide whether it's kosher. The library's domain is irrelevant,
> in this case, since you're not claiming a return address in the library's
> domain.

I understand all that, which is why I found statements such as those in
<[🔎] 20031013091645.GA5606@kos.to> confusing.  The fact is I can add SPF
records for any IP numbers I want to domains I control.  Thus if I want to
be able to send mail from the library or the university claiming to be from
my domain I just need to add the appropriate records to my domain.  The
library and university have nothing to say in the matter.

 > Look up "joe job".

Strictly speaking what I am suffering is not a "joe job".  The spammers
using my domain are not actively trying to defame me: they just find it
convenient to forge my domain.  Widespread implementation of SPF would stop
them.

I've read up some more on SPF (IMHO the best of the bunch) and the rest of
the ASRG proposals.  SPF works exactly as I thought it did.  I have no
problem with any of it: I'd like to see it adopted ASAP.

Some URLS:

http://www.mikerubel.org/computers/rmx_records/#introduction
http://spf.pobox.com/
http://spf.pobox.com/faq.html#noprevent
http://spf.pobox.com/dmpvsrmx.html
http://spf.pobox.com/dmpvsrmx.html
http://spf.pobox.com/draft-mengwong-spf-01.txt



-- 
John Hasler
john@dhh.gt.org (John Hasler)
Dancing Horse Hill
Elmwood, WI
Reply to: