[Asrg] SPF, was where the message
Ian Eiloart
iane at sussex.ac.uk
Fri Jan 23 03:07:15 PST 2009
--On 22 January 2009 02:02:29 +0000 John Levine <johnl at taugh.com> wrote:
>>> For senders that are on its whitelist, AOL reverse engineers the IP
>>> addresses to whitelist from the sender's SPF records, which is way
>>> easier all around than the former mostly manual system.
>>>
>>> Since S-ID falls back to SPF records, most senders just publish one set
>>> of SPF records for both. Note that neither of these are using SPF for
>>> its nominal purpose; I'm not aware of any large system that does.
>>
>> They're using it for whitelisting purposes instead of its nominal
>> purpose? That's exactly what I'm discussing.
>
> Every once in a while, AOL fetches the SPF records for senders in
> their whitelist, crunches them to get a set of IP addresses, and then
> puts those IP addresses into their whitelist. AOL's whitelisting
> process is based on IPs, with the SPF bit merely being a cheap way for
> senders to tell AOL what IPs they use. They do not use SPF
> per-message, nor as far as I can tell do they make any attempt to
> match up the bounce address on incoming mail to the domain from which
> they got the IP in the whitelist.
Aren't the two things functionally equivalent? Oh, I guess that they're
effectively whitelisting ALL email from IP addresses for which they trust
ANY domain. I hope they've got some process that prevents them falling foul
of the obvious attack.
>
>> I think SPF has a bad reputation in some quarters because people
>> think of how it breaks forwarding (etc).
>
> It could be somewhat useful for whitelisting some kinds of mail. Too
> bad it's been so egregiously oversold.
Agreed. It's exactly why publication of SPF records (with ~all) should be
encouraged. Once people get the hang of that, and using MSA, we'll be in a
world where -all records will be less risky.
> R's,
> John
>
>
> _______________________________________________
> Asrg mailing list
> Asrg at irtf.org
> http://www.irtf.org/mailman/listinfo/asrg
--
Ian Eiloart
IT Services, University of Sussex
x3148
More information about the Asrg
mailing list