Mailing List Archive

On Sun, 16 Jul 2006 15:56:48 +0200 Norman Maurer <nm@byteaction.de> wrote:
>Hi guys,
>
>we developed a java implementation for spf called jSPF. Version 0.9b1
>wil be released next week if nothing goes wrong.. Now someone open a bug
>report which report us that microsoft.com return a permError cause the
>maximum includes of 10 is to less.. But i think the bugreport is invalid
>cause the specs are really clear on this..
>
>What you guys think about it ?
>
>Here is the bugreport:
>
>http://issues.apache.org/jira/browse/JSPF-21?page=all
>
>Any feedback whould be cool.
>
This came up several weeks ago on spf-discuss. The MS SPF record does exceed the processing
limits. I reportes it to them, but apparently they haven't seen fit to fix it yet.

How you deal with it is up to you. In pySPF (see the pyMilter project on
sourceforge) there is a relaxed mode that accepts cetain types of errors
(including using more generous processing limits). Of course the current
limits were set to manage the risk of DoS attacks so you need to evaluate
the risk of such non-standard processing.

Scott K

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Norman Maurer wrote:
> we developed a java implementation for spf called jSPF. Version 0.9b1
> wil be released next week if nothing goes wrong.. Now someone open a bug
> report which report us that microsoft.com return a permError cause the
> maximum includes of 10 is to less.. But i think the bugreport is invalid
> cause the specs are really clear on this..

You are absolutely correct, the microsoft.com records are invalid -- hard
to believe but true. And I think it is important that implementations and
their users NOT begin to weaken their lookup limits, because otherwise
more and more domains will begin to ignore the lookup limits, in turn
again causing other implementations to have to raise, or entirely get rid
of, their limits.

The limits are a necessary evil that serve the purpose of mitigating the
risks of DoS attacks.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEumiKwL7PKlBZWjsRArTQAKCaDdwnHOSohBNLakaKET96L4dakQCgipo0
b3PGl33bA9oMVM8vxXTRY3I=
=QUeU
-----END PGP SIGNATURE-----

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

>
> Norman Maurer wrote:
> > we developed a java implementation for spf called jSPF. Version 0.9b1
> > wil be released next week if nothing goes wrong.. Now someone open a bug
> > report which report us that microsoft.com return a permError cause the
> > maximum includes of 10 is to less.. But i think the bugreport is invalid
> > cause the specs are really clear on this..
>
> You are absolutely correct, the microsoft.com records are invalid -- hard
> to believe but true. And I think it is important that implementations and
> their users NOT begin to weaken their lookup limits, because otherwise
> more and more domains will begin to ignore the lookup limits, in turn
> again causing other implementations to have to raise, or entirely get rid
> of, their limits.

I fully agree.. if is in RFC we should not "break" it.

>
> The limits are a necessary evil that serve the purpose of mitigating the
> risks of DoS attacks.
>

Thx for the reply.. i just wanted to get sure :-)

Thx
Norman



-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

On Sun, 16 Jul 2006, Scott Kitterman wrote:

> How you deal with it is up to you. In pySPF (see the pyMilter project on
> sourceforge) there is a relaxed mode that accepts cetain types of errors
> (including using more generous processing limits). Of course the current
> limits were set to manage the risk of DoS attacks so you need to evaluate
> the risk of such non-standard processing.

It is important to note that the relaxed mode does not change the SPF result.
It only potentially changes local policy on what to do with the email. In
pymilter, an SPF permerror that gets a relaxed mode pass will be delivered
by default - but only after sucessfully delivering a DSN complaining about the
problem. Such DSNs will be ignored by Microsoft - but they have prompted
dozens of smaller admins to fix their SPF records.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com