Mailing List Archive

Hello

When a do due date is prescribed a news release to prweb.com should help
get the word out. Many journalists pick up on these releases, and should
report this kind of information.

I don't know about sending out email to every domain.

Waitman Gobble


Jonathan Gardner wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On Friday 11 June 2004 02:46 am, Jon Kyme wrote:
>
>
>>>Should we send an email to every postmaster@<domain> who hasn't
>>>published yet? We would describe SPF, the flag day for SPF, and why
>>>they need to publish very soon. We could also send instructions on some
>>>default configurations.
>>>
>>>
>>An unsolicited mailshot to postmasters all over the world? Brilliant
>>idea, only a genius could have come up with this. Truly, a public
>>relations triumph is just around the corner.
>>
>>
>>
>
>I know it isn't exactly the best idea, but how else are we supposed to post
>a formal notice to everyone who owns a domain and sends and receives email?
>Which website does everyone who own a domain frequent? Which newspaper or
>magazine do they read?
>
>If the postmaster account isn't used for this, then what is it used for?
>
>Sure, it may be unsolicited, but unsolicited in the same way that a subpeona
>or a legal notice is unsolicited.
>
>It is hardly spam in the UCE sense.
>
>I am open to other suggestions. I would rather people had previous notice
>that their emails will be ignored rather than silently dropping millions of
>emails without giving due notice.
>
>The only other alternative is to send a message to postmasters who don't
>publish SPF when you receive a message from them. It will be important that
>it gets sent only once, however. In that sense, you would be informing
>them, "Hey, I accepted your email this time. Come September 22, if you
>don't publish SPF, I won't accept it."
>
>Then the followup on September 22 and afterwards: "I dropped your email
>because you don't publish SPF records."
>
>- --
>Jonathan M. Gardner
>Mass Mail Systems Developer, Amazon.com
>jonagard@amazon.com
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.3 (GNU/Linux)
>
>iD8DBQFAyeT/BFeYcclU5Q0RAl3bAKDGsCIx4HWjMCFZCkEJX0tYmu0oHwCfcE6o
>9DxSr1A80wWG+vcnaLgzsXI=
>=Cjqm
>-----END PGP SIGNATURE-----
>
>-------
>Sender Policy Framework: http://spf.pobox.com/
>Archives at http://archives.listbox.com/spf-discuss/current/
>Send us money! http://spf.pobox.com/donations.html
>To unsubscribe, change your address, or temporarily deactivate your subscription,
>please go to http://v2.listbox.com/member/?listname=spf-discuss@v2.listbox.com
>
>
>
>

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-deployment@v2.listbox.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Keep in mind that I am just trying to advocate this so that we get the issue
fully explored. Maybe you are right: Publishing an article in the trade
press is the best and only way of giving notice.

On Friday 11 June 2004 10:25 am, Alan Hodgson wrote:
> On Fri, Jun 11, 2004 at 09:59:43AM -0700, Jonathan Gardner wrote:
> > I know it isn't exactly the best idea, but how else are we supposed to
> > post a formal notice to everyone who owns a domain and sends and
> > receives email? Which website does everyone who own a domain frequent?
> > Which newspaper or magazine do they read?
>
> They don't. And you won't be able to let them know.
>
> If you wish to spend money on TV or magazine advertising to try, that
> would be your right, though.
>
> > If the postmaster account isn't used for this, then what is it used
> > for?
> >

I ask again: What is the postmaster account used for, if not for email
issues with a particular domain? Are we supposed to never send any email to
any postmaster ever because it may be considered spam?

> > Sure, it may be unsolicited, but unsolicited in the same way that a
> > subpeona or a legal notice is unsolicited.
> >
> > It is hardly spam in the UCE sense.
>
> Unfortunately it is exactly spam in the UCE sense. Your message is no
> more or less important in the grand scheme of things than anyone else's,
> and no more worthy of cost-shifting receipt. It took me a while to learn
> that lesson, but learn it I have.
>

How is sending a notice of SPF compliance deadline UCE? (UCE = Unsolicited
COMMERCIAL Email) We aren't asking for money. We aren't forming a pyramid
scheme. We aren't asking them to login to their eBay account to update
their information.

And is a notice to another company that we aren't going to accept their
email any longer unless they make some changes unsolicited? Isn't that what
the postmaster account is for? Don't we have almost a legal liability to
notify people that we are going to drop their email?

> > I am open to other suggestions. I would rather people had previous
> > notice that their emails will be ignored rather than silently dropping
> > millions of emails without giving due notice.
>
> Eventually, bouncing E-mail due to lack of SPF records (or too lenient
> SPF records), will be the only way to force adoption. You won't be able
> to do that for years, though, if ever.
>
> Things on the Internet don't change overnight. This isn't 1994.
>

I believe you are wrong. We can have SPF fully deployed by September 22. We
have come this far in a relatively short period of time. There is a great
need for SPF, and people will adopt it. Look around - many major internet
participants have fully endorsed SPF. These are the early adopters. How
many more are merely waiting for some more evidence or a push in the right
direction?

If AOL is going to bounce emails by the end of the summer, then a
significant portion of email is going to get bounced or a significant
number of domains are going to publish SPF.

> > The only other alternative is to send a message to postmasters who
> > don't publish SPF when you receive a message from them. It will be
> > important that it gets sent only once, however. In that sense, you
> > would be informing them, "Hey, I accepted your email this time. Come
> > September 22, if you don't publish SPF, I won't accept it."
>
> No, you could tell your correspondents that though. Spamming postmasters
> will never make you friends or help the adoption of SPF.

Neither will suddenly dropping someone's email with no notification.

I see two situations:

(1) We send notifications to postmaster@. Many people are upset. We get a
news article published about how SPF group is engaging in the exact
behavior we want to prevent. We get added to SpamCop and some other
people's blacklist. Slashdot runs an article, "Is the solution worse than
the cure?" However, everyone and their grandmother knows of the deadline
and what they must do. When they send an email, and it gets dropped, they
go "Oh, it must be because we didn't publish SPF records."

(2) We publish a few articles in the US and Europe. Japan, Korea, and China
are largely left out of the loop. We only get the attention of a fraction
of email participants. When the flag day passes, massive amounts of email
get dropped. The poor email administrators don't even know that their email
is getting dropped for days or even weeks. When they do a thorough
investigaton, they finally get a response: We are dropping your email
because you aren't publishing SPF records. Well what good does that do them
now? They've lost several days of emails and they've never been notified of
it in the first place! But we wrote articles in magazines and emailing
lists and internet sites, wasn't that enough? Well how are they supposed to
read the articles if they are written in English or French or German and
they speak Korean?

So the thing is, we can either anger them before or after the flag day. I
think angering them before the flag day will do a lot more good than
angering them after the flag day.

- --
Jonathan M. Gardner
Mass Mail Systems Developer, Amazon.com
jonagard@amazon.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAyfh4BFeYcclU5Q0RAiNHAJsFarkiDc3HMBqB53xLyCXUMhc1uACgzfO8
Jw6S+zN0dfXlGrnhFa7gXY8=
=9I1+
-----END PGP SIGNATURE-----

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-deployment@v2.listbox.com

Jonathan Gardner wrote:

> I know it isn't exactly the best idea, but how else are we
> supposed to post a formal notice to everyone who owns a
> domain and sends and receives email?

One thing which wouldn't be spam is to report erroneous
bounces, especially if you got more than one with forged
addresses of your domain.

The usual pattern is a part of a dictionary attack. You
could then inform postmaster@ that -1: his system is under
attack, -2: you didn't attack it, -3: how SPF would help
to reject (parts of) this attack. You could even add some
instructions for <http://spf.pobox.com/why.html> with the
MAIL FROM and the IP in question to demonstrate this effect.

> Sure, it may be unsolicited

If it's an analysis of an erroneous bounce, then it's IMHO
not "unsolicited", and if the dictionary attack is still at
A..D it might even help. I'm not sure how fast the spammers
rotate the sending IPs, if it's less often then the forged
addresses, the postmaster@ could "teergrube" (tarpit) the
IP in question or simply block it for some time.

> It is hardly spam in the UCE sense.

Sending bulk mail to arbitrary postmasters is spam. With a
good reason it's another story.
Bye, Frank