Mailing List Archive

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stuart D. Gathman wrote:
> Does anyone have any stats on whether there are enough spf2.0/mfrom
> records out there to be worth checking for? I don't care about
> spf2.0/pra (not being much interested in protecting Resent-Sender),
> but spf2.0/mfrom is equivalent to SPF, and the more SPF policies the
> better.

- From a rather large e-mail database (whose exact source and nature I can't
disclose due to an NDA, but it has > 100 million messages from the last
few months):

(Fixed-width font required for proper viewing!)


# domains with "spf2.0/...,mfrom,..."
--------------------------------------- ~= 0.0052
# domains with "v=spf1" or "spf2.0"


# messages with "spf2.0/...,mfrom,..."
---------------------------------------- ~= 0.0064
# messages with "v=spf1" or "spf2.0"


I'll leave drawing conclusions up to you ...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHTffRwL7PKlBZWjsRAmN2AJsFIS7VkPzN4oHNP/9yzOQbdQC25gCgpkeI
kJjgidEi1xTiV2npfgCeIOA=
=KPAW
-----END PGP SIGNATURE-----

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=69914444-8cc8a4
Powered by Listbox: http://www.listbox.com

Julian Mehnle wrote:

> # domains with "spf2.0/...,mfrom,..."
> --------------------------------------- ~= 0.0052
> # domains with "v=spf1" or "spf2.0"

> # messages with "spf2.0/...,mfrom,..."
> ---------------------------------------- ~= 0.0064
> # messages with "v=spf1" or "spf2.0"

> I'll leave drawing conclusions up to you ...

...that's actually hard, if it means (any mfrom)/(any SPF)
with results of less than 200:1 for (any spf)/(any mfrom).

"any spf" includes "only pra", and of course "any mfrom"
is impossible for "only pra". It would be clearer if you
have an idea about "any mfrom not matching v=spf1", also
counting obvious "no v=spf1 at all" cases.

One reason why we should remove "mfrom" from the picture
is the ugly situation of different "mfrom" and "v=spf1"
policies.

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=69970300-9c11a1
Powered by Listbox: http://www.listbox.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Ellermann wrote:
> Julian Mehnle wrote:
> > # domains with "spf2.0/...,mfrom,..."
> > --------------------------------------- ~= 0.0052
> > # domains with "v=spf1" or "spf2.0"
> >
> > # messages with "spf2.0/...,mfrom,..."
> > ---------------------------------------- ~= 0.0064
> > # messages with "v=spf1" or "spf2.0"
> >
> > I'll leave drawing conclusions up to you ...
>
> ...that's actually hard, if it means (any mfrom)/(any SPF) with results
> of less than 200:1 for (any spf)/(any mfrom).
>
> "any spf" includes "only pra", and of course "any mfrom" is impossible
> for "only pra". It would be clearer if you have an idea about "any
> mfrom not matching v=spf1", also counting obvious "no v=spf1 at all"
> cases.

Sorry, Frank, but I am having serious trouble understanding what you are
trying to say here. Can you please reword your thoughts in a more direct
manner?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHTpkuwL7PKlBZWjsRAkKiAJwNHfQbJ8VuhmqDzZtyTfisWjaBeACgip9a
IJ1qDNFPmUvpoHKm2aoTQEQ=
=BijI
-----END PGP SIGNATURE-----

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=70088404-2e5f1b
Powered by Listbox: http://www.listbox.com

Julian Mehnle wrote:

> I am having serious trouble understanding what you are trying
> to say here. Can you please reword your thoughts in a more
> direct manner?

Wrt to a _given_ spf2.0/mfrom there are four cases:

1 - Only spf2.0/mfrom, no PRA, no v=spf1
2 - sf2.0/mfrom,pra (or v.v.), no v=spf1
3 - Any kind of spf2.0/mfrom, and v=spf1 matches it
4 - Any kind of spf2.0/mfrom, and v=spf1 different

Three additional cases without any spf2.0/mfrom:

5 - v=spf1, no PRA
6 - v=spf1 and spf2.0/pra
7 - Only PRA

Your statistics divides (1+2+3+4) / (1+2+3+4+5+6+7).

We're not interested in 7 (only PRA) for a comparison
of the spf2.0/mfrom and v=spf1 deployment.

If we're looking for trouble, that's any mfrom without
a matching v=spf1, (1+2+4) / (1+2+3+4).

Unfortunately I had no time this week to work on the
op=pra draft, I intend to deprecate it together with
any spf2.0/mfrom leaving only v=spf1 and spf2.0/pra.

The two years for the "experiments" ended three months
ago, it's time to start the cleanup.

Checking the IETF Last Call version of 2821bis, TLDs
are now permitted, no more "one dot only" rule. I'll
delete the corresponding wannabe 4408-erratum. We're
down to one unclear case.

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311532&id_secret=71353458-25d1e4
Powered by Listbox: http://www.listbox.com