Mailing List Archive

Gmail's SPF records end in "?all" thus prohibiting
normal SPF checkers to do anything (many larger
email providers seem to do this, if anybody could
shed light on the why, that'd be greatly appreciated).

We get around this problem by keeping a list
of larger email providers that do this sort of
thing, and then take action regardless of the "?all",
so far without any serious complaints (i.e. gmail.com's
records seem reliable).


On Mon, 2007-06-25 at 14:04 +0000, Julian Mehnle wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> This belongs on spf-discuss rather than spf-webmasters. Do not reply to
> spf-webmasters.
>
> Julian.
> - -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFGf8tZwL7PKlBZWjsRAlwyAKDKh4ByTNDTrV4h1qZmh3f6JCrJrwCg8qOB
> CD9EIsF0a9g7PmDIR4wEzsI=
> =wJ6I
> - -----END PGP SIGNATURE-----
>
>
> - ---------- Forwarded Message ----------
> Subject: [spf-webmasters] SPF
> Date: Monday, 2007 June 25 13:23
> From: "Prakhar Birla" <prakharbirla@gmail.com>
> To: spf-webmasters@v2.listbox.com
>
> Hi,
> I just got a mail from LinkedIn on my gmail account. The from and to were
> my e-mail addresses. This was the header:
>
> > Delivered-To: prakharbirla@gmail.com
> > Received: by 10.114.121.7 with SMTP id t7cs10895wac;
> > Mon, 25 Jun 2007 06:12:02 -0700 (PDT)
> > Received: by 10.141.20.7 with SMTP id x7mr711127rvi.1182777122126;
> > Mon, 25 Jun 2007 06:12:02 -0700 (PDT)
> > Return-Path: <notif+uGGdmzFmwF_wGswPekhRmLOsP8BwR_mTYLAxBmqq5uNc9NXTlpprDrqv9Gx9WyuM5VCNnFqFrIxRXbd5SIAxChF_SODxiYD99_@bounce.linkedin.com>
> > Received: from mail05-a-ab.linkedin.com
> > (mail05-a-ab.linkedin.com [64.74.220.81])
> > by mx.google.com with ESMTP id 3si6651182rvi.2007.06.25.06.12.00;
> > Mon, 25 Jun 2007 06:12:02 -0700 (PDT)
> > Received-SPF: pass (google.com: domain of notif+uGGdmzFmwF_wGswPekhRmLOsP8BwR_mTYLAxBmqq5uNc9NXTlpprDrqv9Gx9WyuM5VCNnFqFrIxRXbd5SIAxChF_SODxiYD99_@bounce.linkedin.com
> > designates 64.74.220.81 as permitted sender)
> > Received: from bounce.linkedin.com (172.17.26.84)
> > by mail05-a-ab.linkedin.com with ESMTP; 25 Jun 2007 07:11:21 -0700
>
> Now my question is that gmail has not included the LinkedIn server in the
> SPF record but still the e-mail has passed the SPF test! What is the reason
> behind this?
>
> - --
> Regards,
> Prakhar
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFGf8trwL7PKlBZWjsRAhtqAJsGAsJ9EeB2YCvSXbQKFe2zwsE/wgCggZNJ
> 20vNBgGlbY3d9XUClNOpz7Y=
> =yJhO
> -----END PGP SIGNATURE-----
>
> -------------------------------------------
> -----------------------------------------------------------------------
> Sender Policy Framework: http://www.openspf.org/
> Archives at http://archives.listbox.com/spf-discuss/current/
> To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> please go to http://v2.listbox.com/member/?list_id=735
> Powered by Listbox: http://www.listbox.com

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com

Hi,
> Gmail's SPF records end in "?all" thus prohibiting
> normal SPF checkers to do anything (many larger
> email providers seem to do this, if anybody could
> shed light on the why, that'd be greatly appreciated).
>
If there is anybody from Google reading this list, please contact me on-
or off-list. We're currently working with SPF-deployment issues in
Sweden and is really curious to know why gmail adds spf-check results in
the header but do not move obviously forged mail (breaking
-all-policies) to the spam-folder.

Has this been discussed before?

Best Regards,

Stefan Görling

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com

On Mon, 25 Jun 2007, Thomas Jacob wrote:

> Gmail's SPF records end in "?all" thus prohibiting
> normal SPF checkers to do anything (many larger
> email providers seem to do this, if anybody could
> shed light on the why, that'd be greatly appreciated).
>
> We get around this problem by keeping a list
> of larger email providers that do this sort of
> thing, and then take action regardless of the "?all",
> so far without any serious complaints (i.e. gmail.com's
> records seem reliable).

We do the same thing - but in addition to manual policy setting,
we track reputation of domain:spfresult. This way, the system
auto learns which domains should be reject on neutral, or reject
on pass for that matter.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com

> We do the same thing - but in addition to manual policy setting,
> we track reputation of domain:spfresult. This way, the system
> auto learns which domains should be reject on neutral, or reject
> on pass for that matter.

Interesting :-)

And how do you do that, if I may ask?


-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com

On Mon, 25 Jun 2007, Thomas Jacob wrote:

> > We do the same thing - but in addition to manual policy setting,
> > we track reputation of domain:spfresult. This way, the system
> > auto learns which domains should be reject on neutral, or reject
> > on pass for that matter.
>
> Interesting :-)
>
> And how do you do that, if I may ask?

Pymilter queries the reputation server with cookie assigned to the message:

2007Jun25 17:49:39 Q:orvisnews.com:pass:1:Lc4STKck.WiLGb0EqmXA$Q
2007Jun25 17:49:39 ham: 113, spam: 0
2007Jun25 17:49:39 ID orvisnews.com:pass reputation: 76.159416,10.994643
2007Jun25 17:49:39 PREPEND X-GOSSiP: Lc4STKck.WiLGb0EqmXA$Q,76,10

Reputation server sees that that domain and SPF result has sent 113 hams and
0 spams and reports score of 76 (highest) with confidence 10 (affected
by total messages and timespan).

Pymilter adds header to message:

2007Jun25 17:49:39 [5578] connect from mail.orvisnews.com at ('12.168.118.150', 54443) EXTERNAL
2007Jun25 17:49:39 [5578] hello from mail.orvisnews.com
2007Jun25 17:49:39 [5578] mail from <news@orvisnews.com> ('BODY=8BITMIME',)
2007Jun25 17:49:39 [5578] Received-SPF: Pass (mail.bmsi.com: domain of orvisnews.com designates 12.168.118.150 as permitted sender) client-ip=12.168.118.150; envelope-from="news@orvisnews.com"; helo=mail.orvisnews.com; receiver=mail.bmsi.com; mechanism=mx; identity=mailfrom;
2007Jun25 17:49:39 [5578] X-GOSSiP: Lc4STKck.WiLGb0EqmXA$Q,76,10
2007Jun25 17:49:39 [5578] rcpt to <MAKURAT@BMSI.COM> ()
2007Jun25 17:49:40 [5578] Subject: Save on in-season items NOW.

Looks like spam to me, but recipients approves of this newsletter and
does not flag it as spam. Pymilter sends feedback to gossip server that
the message was legit:

2007Jun25 17:49:48 F:Lc4STKck.WiLGb0EqmXA$Q:0

On the other hand, a message comes in from:

2007Jun25 17:43:46 Q:jacobsfam.com:neutral:1:2R8V1yPWsoK.hwVnOA.H3g
2007Jun25 17:43:46 ham: 0, spam: 26
2007Jun25 17:43:46 ID jacobsfam.com:neutral reputation: -76.159416,2.072514
2007Jun25 17:43:46 REJECT X-GOSSiP: 2R8V1yPWsoK.hwVnOA.H3g,-76,2

It is rejected because jacobsfam.com with a neutral result has sent
26 spams and no hams, exceeding my personal (somewhat low :-) ) threshold
for spam tolerance.

This reputation does not affect mail from jacobsfam.com with another
SPF result, like pass (or even softfail).

The effect is that I don't try to assign semantics to the SPF results,
except that I reject on FAIL by default (with manually configured
exceptions for totally braindead senders that I nevertheless need mail from).
I just let their actual message history define what the SPF results mean
in terms of whether I want their mail.

So the arguments over the precise meaning of softfail vs neutral vs pass
are booorrrring at this point. I don't care. Just publish any old SPF record
and I'm happy. Even if you don't publish SPF, I just apply my best_guess
heuristic, and track reputation by that result. Best_guess results
in either pass or neutral tracked as domain:GUESS and domain:neutral.

BTW, I reject on FAIL by default partly as a service to senders. That is after
all a motivation for publishing SPF - to reduce bounced forgeries. The system
would work just as well to let the FAIL result define itself - even an SPF
record that got pass and fail accidentally reversed would work as intended :-)

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com