Mailing List Archive: Another Permerror heuristic

Another Permerror heuristic

Mar 19, 2008, 11:32 AM

Post #1 of 3 (3026 views)

When Pyspf get a PermError, it still attempts to get a "best guess" result
by heuristically examining the SPF record. I just realized another simple
addition to its bag of heuristics. When the error is "two or more SPF
records (or TXT records), simply evaluated both, and if the results agree,
that is the best guess - a pretty confident guess at that. I would only
apply this for 2 records, since that would arise in practice when naively
updating SPF records.

In fact, this would be another tweak for SPFv3: only report PermError for
exactly 2 SPF records (v3 should not use TXT) when the results disagree.
If both records get the same result, that is an official result.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1007/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com

Re: Another Permerror heuristic [ In reply to ]

nobody at xyzzy

Mar 20, 2008, 6:18 AM

Post #2 of 3 (2912 views)

Permalink

Stuart D. Gathman wrote:

> In fact, this would be another tweak for SPFv3: only report
> PermError for exactly 2 SPF records (v3 should not use TXT)
> when the results disagree. If both records get the same
> result, that is an official result.

As heuristic it is an idea. Generally I'd consider it as rude
and net abuse when senders burden receivers with unnecessary
DNS queries. Receivers rejecting PermError should be free to
consider such scenarios as broken.

For spf2.0/mfrom and variations it is arguably acceptable when
there is a "similar" v=spf1 with a hopefully identical result.
In this case a faster heuristic is to follow RFC 4408, and to
ignore the "spf2.0/mfrom" instead of wasting time with "mfrom"
evaluations.

The spf-eai draft proposes to deprecate any "spf2.0/mfrom" in
favour of v=spf1. For "mfrom" read "mfrom,pra", "pra,mfrom",
or "mfrom", and hopefully at most one these combos. RFC 4406
is just messy.

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1007/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com

Re: Re: Another Permerror heuristic [ In reply to ]

stuart at bmsi

Mar 20, 2008, 1:27 PM

Post #3 of 3 (2917 views)

Permalink

On Thu, 20 Mar 2008, Frank Ellermann wrote:

> Stuart D. Gathman wrote:
>
> > In fact, this would be another tweak for SPFv3: only report
> > PermError for exactly 2 SPF records (v3 should not use TXT)
> > when the results disagree. If both records get the same
> > result, that is an official result.
>
> As heuristic it is an idea. Generally I'd consider it as rude
> and net abuse when senders burden receivers with unnecessary
> DNS queries. Receivers rejecting PermError should be free to
> consider such scenarios as broken.

Point taken. So forget the idea for spfv3. The goal for
my mail system is to get a semi-official pass so that I can blacklist
domains with a clear conscience. (And have whitelisting work reliably
even when sender has screwed up their DNS.)

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1007/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com