Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SPF>
  3. Discuss
Re: implicit MX rule FAQ
nobody at xyzzy
May 14, 2007, 10:55 AM
Post #1 of 8 (2118 views)
Permalink
Julian Mehnle wrote:

> I also added a brief explanation of why the "implicit MX" rule
> is problematic.

No problem with that brief explanation, but it doesn't convince
me that there is a problem. You argue that most domains have an
IP and therefore fall under the "implicit MX" rule. I'd argue
that most domains have an explicit MX, and therefore can't muddy
the waters.

Validating the "existence" of a domain by merely looking if it
has an MX (or lacking that an IP) won't help you long wrt spam,
professional spammers can arrange to survive this validation.

A part of the SPF FAIL philosophy is built on the assumption that
professional spammers prefer to abuse addresses surviving "call
back verification" (IOW real addresses), and that FAIL-protected
addresses aren't "good enough" for these professional spammers,
because checking (and rejecting) SPF FAIL is cheaper than CBV.

When we're in the realm of "plausible" addresses (from the POV
of the professional spammers), then MX or "implicit MX" (IP) is
only a precondition for further "plausibility" checks like "no
SPF FAIL for the IPs of my botnet" and "no 5xx after RCPT TO in
a 'call back verification'".

At some point in time the professional spammers will be forced
to fine tune their "plausibility" tests depending on their next
target, maybe that's already the case. "No MX and no IP" can't
qualify as "plausible" for such professional spammers, removing
the "implicit MX" from the picture won't make a big difference
for them.

This construct can be harmful, e.g. if stupid senders implement
it as "try the direct IP if all MXs failed", it's also easy to
get the details wrong while explaining e.g. SPF's mx-mechanism,
or when discussing IPv4 vs. IPv6, but that's not exactly the
fault of this "implicit MX" rule.

Changing that rule would be also tricky wrt EHLO, at the moment
an MTA claiming to be smtp.example.com in its HELO might not
have an MX, but still accept mail to postmaster@smtp.example.com
at its IP. Without the "implicit MX" rule the assumption could
be that any MTA without an MX for its HELO is what, suspicious ?

Frank


-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com
Re: Re: implicit MX rule FAQ [ In reply to ]
stuart at bmsi
May 14, 2007, 2:05 PM
Post #2 of 8 (2030 views)
Permalink
On Mon, 14 May 2007, Frank Ellermann wrote:

> Julian Mehnle wrote:
>
> > I also added a brief explanation of why the "implicit MX" rule
> > is problematic.
>
> No problem with that brief explanation, but it doesn't convince
> me that there is a problem. You argue that most domains have an
> IP and therefore fall under the "implicit MX" rule. I'd argue
> that most domains have an explicit MX, and therefore can't muddy
> the waters.

> Validating the "existence" of a domain by merely looking if it
> has an MX (or lacking that an IP) won't help you long wrt spam,
> professional spammers can arrange to survive this validation.

> A part of the SPF FAIL philosophy is built on the assumption that
> professional spammers prefer to abuse addresses surviving "call
> back verification" (IOW real addresses), and that FAIL-protected
> addresses aren't "good enough" for these professional spammers,
> because checking (and rejecting) SPF FAIL is cheaper than CBV.

SPF is *not* for "stopping spam". It is for determining whether the domain
owner has authorized an IP address to send mail. The A mechanism identifies
ips by means of A and AAAA records. The MX mechanism identifies ips by means
of MX records (and the A and AAAA records they refer to). Enough said. The
"implicit MX rule" is pointless for SPF because the domain in question is
*sending* mail, *not* receiving it.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com
Re: implicit MX rule FAQ [ In reply to ]
julian at mehnle
May 14, 2007, 3:19 PM
Post #3 of 8 (2035 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(Please follow up to spf-discuss.)

Frank Ellermann wrote on spf-webmasters:
> Julian Mehnle wrote:
> > I also added a brief explanation of why the "implicit MX" rule
> > is problematic.
>
> No problem with that brief explanation, but it doesn't convince
> me that there is a problem. You argue that most domains have an
> IP and therefore fall under the "implicit MX" rule. I'd argue
> that most domains have an explicit MX, and therefore can't muddy
> the waters.

So which of the following valid host names (off the top of my head) has an
explicit MX record?

chiclet.listbox.com
portent.listbox.com
1cust176.tnt9.hbg2.deu.da.uu.net
earbone.schlitt.net
earbone.openspf.org
www.google.com
www.microsoft.com
direkt.postbank.de
en.wikipedia.org

> Validating the "existence" of a domain by merely looking if it
> has an MX (or lacking that an IP) won't help you long wrt spam,

No, but it is a basic sanity checking technique in any e-mail setup.

> professional spammers can arrange to survive this validation.

That's completely besides the point.

> [...]
> Changing that rule would be also tricky wrt EHLO, at the moment
> an MTA claiming to be smtp.example.com in its HELO might not
> have an MX, but still accept mail to postmaster@smtp.example.com
> at its IP. Without the "implicit MX" rule the assumption could
> be that any MTA without an MX for its HELO is what, suspicious ?

Said sanity check enforces the basic assumption valid_for_mail_from(
$domain) = valid_for_rcpt_to($domain) without implicit MX. The HELO
identity is separate from both MAIL FROM and RCPT TO.

In any case, killing the "implicit MX" rule would be a good idea. Note
that I'm not saying that it would be _easy_.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGSOCOwL7PKlBZWjsRAvRGAKD5rWXFyawvPYWuJiqXBP6BbnN5AACgwHYQ
+RZiadA4bhdv4BLAc8vrO0M=
=1hjw
-----END PGP SIGNATURE-----

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com
Re: implicit MX rule FAQ [ In reply to ]
nobody at xyzzy
May 14, 2007, 3:52 PM
Post #4 of 8 (2026 views)
Permalink
Stuart D. Gathman wrote:

> The "implicit MX rule" is pointless for SPF

Sure, it doesn't exist as far as the SPF mechanism mx is concerned.
The FAQ talks about it generally (SMTP), not specifically wrt SPF.

Frank


-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com
Re: Re: implicit MX rule FAQ [ In reply to ]
morelli at es
May 14, 2007, 3:54 PM
Post #5 of 8 (2016 views)
Permalink
-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com
Re: Re: implicit MX rule FAQ [ In reply to ]
morelli at es
May 14, 2007, 3:55 PM
Post #6 of 8 (2033 views)
Permalink
-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com
Re: implicit MX rule FAQ [ In reply to ]
nobody at xyzzy
May 14, 2007, 4:16 PM
Post #7 of 8 (2038 views)
Permalink
Julian Mehnle wrote:

> So which of the following valid host names (off the top of my
> head) has an explicit MX record?

No idea, and too tired to guess. Let the spammers figure it out
when they intend to abuse one of these addresses.

> The HELO identity is separate from both MAIL FROM and RCPT TO.

We use it to construct our ersatz MAIL FROM if that's empty.
SMTP might use it to report problems to postmaster@ (I'm again
too tired to check if that's MUST or SHOULD or only between the
lines in 2821bis-03, and tomorrow I could look in 2821bis-04.)

> In any case, killing the "implicit MX" rule would be a good
> idea.

I doubt it. I like SPF better, it doesn't demand that folks
have to change their working setup before they're willing to
change it. Apart from forwarders to some degree.

> Note that I'm not saying that it would be _easy_.

Sometimes I think we're only at the beginning of the transition
to SPF (i.e. SPF PASS or FAIL). It's not the point in time to
screw with something fundamental in SMTP again. "Reinventing"
those source routes was as hard as it can get without breaking.

Frank


-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com
Re: Re: implicit MX rule FAQ [ In reply to ]
morelli at es
May 14, 2007, 4:17 PM
Post #8 of 8 (2010 views)
Permalink
-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal