Mailing List Archive

Hi Bryan,

On Mon, Aug 23, 2004 at 11:27:19AM -0400, Bryan Phinney wrote:
> However, incoming mail has to be smart relayed through easydns mail servers
> since they have to reroute around the port 25 blockage. So, it would appear
> to me that there is no way for me to reject mail due to SPF since all
> incoming mail will be routed through easydns first. Is this correct? Is
> there a way for me to implement SPF while still having mail come through
> another mail server first?

You could still check the spf records, but as was pointed out on the
discuss list there are a couple of problems here:

- You can't reject, and sending off a bounce to the MAIL FROM address if
spf fails is a bad thing, since the MAIL FROM was probably forged.
- You are delaying the SPF check, if this delay is significant, the
spf records might have changed and your check is not against the
records that the sender intended.
- You can, taking into account what I said above, use the spf result
as extra input to your spam filtering. It's far from ideal, but
at least is something.

The best thing to do, of course, would be to either change to another
provider if that's an option or find yourself an spf-checking receiving
mail server.

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Im not sure if that's totally accurate you should probably look at the
header info to see how its being relayed in. People send mail through
smart hosts all the time but the SENDER IP is always still there along
with the SENDERS domain. Unless easydns is rewriting the mail header?!
It should be accurate.

-----Original Message-----
From: owner-spf-help@v2.listbox.com
[mailto:owner-spf-help@v2.listbox.com] On Behalf Of Koen Martens
Sent: Monday, August 23, 2004 11:53 AM
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] SPF, Postfix and smarthosting

Hi Bryan,

On Mon, Aug 23, 2004 at 11:27:19AM -0400, Bryan Phinney wrote:
> However, incoming mail has to be smart relayed through easydns mail
> servers since they have to reroute around the port 25 blockage. So,
> it would appear to me that there is no way for me to reject mail due
> to SPF since all incoming mail will be routed through easydns first.
> Is this correct? Is there a way for me to implement SPF while still
> having mail come through another mail server first?

You could still check the spf records, but as was pointed out on the
discuss list there are a couple of problems here:

- You can't reject, and sending off a bounce to the MAIL FROM address if
spf fails is a bad thing, since the MAIL FROM was probably forged.
- You are delaying the SPF check, if this delay is significant, the
spf records might have changed and your check is not against the
records that the sender intended.
- You can, taking into account what I said above, use the spf result
as extra input to your spam filtering. It's far from ideal, but
at least is something.

The best thing to do, of course, would be to either change to another
provider if that's an option or find yourself an spf-checking receiving
mail server.

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/ Networking, embedded
systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program can't read? Visit
http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com


--------------------------------------------------------------------------------
This email is intended only for the named recipents. All email is monitored and archived for compliance requirements.
The views or context in this message may not reflect the view or context of the company.
--------------------------------------------------------------------------------



-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Monday 23 August 2004 11:53 am, Koen Martens wrote:

> You could still check the spf records, but as was pointed out on the
> discuss list there are a couple of problems here:
>
> - You can't reject, and sending off a bounce to the MAIL FROM address if
> spf fails is a bad thing, since the MAIL FROM was probably forged.

I don't think that bouncing to the FROM is necessarily a bad thing anymore.
It lets someone know that they are being forged so that they can file a
complaint through CAN-SPAM, at the least, it notifies them so that they can
setup SPF records for themselves.

At any rate, I am not at all sure that a physical bounce goes out through
EasyDNS, they must just drop the message into the bitbucket, much the same as
I would do with a reject.

> - You are delaying the SPF check, if this delay is significant, the
> spf records might have changed and your check is not against the
> records that the sender intended.
> - You can, taking into account what I said above, use the spf result
> as extra input to your spam filtering. It's far from ideal, but
> at least is something.

Well, SpamAssassin will support SPF at some future point and I use that now
but I would rather do it at the mail server level. If that is not possible
given my current setup, then I will have to live with it.

> The best thing to do, of course, would be to either change to another
> provider if that's an option or find yourself an spf-checking receiving
> mail server.

The server is still for my small, private domain. It is not widely used and I
can't justify the cost for business level service for this. So, I am stuck
with this current setup for now. Perhaps, EasyDNS will begin to drop
messages per SPF once it is more widely implemented.
--
Bryan Phinney

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Maybe you can switch to an ISP that allows inbound SMTP, bellsouth.net
DSL in Florida (where I am) allows us all flexibility to send/receive on
smtp/25, whereas Earthlink forces you to redirect.

-----Original Message-----
From: owner-spf-help@v2.listbox.com
[mailto:owner-spf-help@v2.listbox.com] On Behalf Of Bryan Phinney
Sent: Monday, August 23, 2004 12:11 PM
To: Koen Martens; spf-help@v2.listbox.com
Subject: Re: [spf-help] SPF, Postfix and smarthosting

On Monday 23 August 2004 11:53 am, Koen Martens wrote:

> You could still check the spf records, but as was pointed out on the
> discuss list there are a couple of problems here:
>
> - You can't reject, and sending off a bounce to the MAIL FROM address
if
> spf fails is a bad thing, since the MAIL FROM was probably forged.

I don't think that bouncing to the FROM is necessarily a bad thing
anymore.
It lets someone know that they are being forged so that they can file a
complaint through CAN-SPAM, at the least, it notifies them so that they
can setup SPF records for themselves.

At any rate, I am not at all sure that a physical bounce goes out
through EasyDNS, they must just drop the message into the bitbucket,
much the same as I would do with a reject.

> - You are delaying the SPF check, if this delay is significant, the
> spf records might have changed and your check is not against the
> records that the sender intended.
> - You can, taking into account what I said above, use the spf result
> as extra input to your spam filtering. It's far from ideal, but
> at least is something.

Well, SpamAssassin will support SPF at some future point and I use that
now but I would rather do it at the mail server level. If that is not
possible given my current setup, then I will have to live with it.

> The best thing to do, of course, would be to either change to another
> provider if that's an option or find yourself an spf-checking
> receiving mail server.

The server is still for my small, private domain. It is not widely used
and I can't justify the cost for business level service for this. So, I
am stuck with this current setup for now. Perhaps, EasyDNS will begin
to drop messages per SPF once it is more widely implemented.
--
Bryan Phinney

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com


--------------------------------------------------------------------------------
This email is intended only for the named recipents. All email is monitored and archived for compliance requirements.
The views or context in this message may not reflect the view or context of the company.
--------------------------------------------------------------------------------



-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

> -----Original Message-----
> From: owner-spf-help@v2.listbox.com
> [mailto:owner-spf-help@v2.listbox.com]On Behalf Of Bryan Phinney
> Sent: Monday, August 23, 2004 12:11 PM
> To: Koen Martens; spf-help@v2.listbox.com
> Subject: Re: [spf-help] SPF, Postfix and smarthosting
>
>
> On Monday 23 August 2004 11:53 am, Koen Martens wrote:
>
> > You could still check the spf records, but as was pointed out on the
> > discuss list there are a couple of problems here:
> >
> > - You can't reject, and sending off a bounce to the MAIL FROM address if
> > spf fails is a bad thing, since the MAIL FROM was probably forged.
>
> I don't think that bouncing to the FROM is necessarily a bad
> thing anymore.
> It lets someone know that they are being forged so that they can file a
> complaint through CAN-SPAM, at the least, it notifies them so
> that they can setup SPF records for themselves.
>
As a current benificiary (or victim) of large numbers of from bounces due to
spammers, let me say that I do NOT appreciate them.

First, I already have an SPF record, that's why you are able to detect the
forgery.

Second, if I were to try and file complaints for every bounce from a forger
that I get, it would be a full time job.

Third, CAN-SPAM only applies to US senders. Most of the spam I see is sent
from servers outside the US (it is a big world out there).

If you want to do something with the data from SPF fail messages, don't send
me a bounce in the hopes that I will invest my time in reporting it to
someone. I won't. Invest your time in reporting the messages to your
favorite IP based DNSBL. BTW, Spamcop (my personal favorite) will not take
reports based on bounces. You got the spam, it's you who have to report it.

Cutting down on bounces due to forged messages is one of my (and I know I'm
not alone here) primary hopes for SPF. When it comes to bounces to the from
address due to an SPF fail after the message has been accepted, please, just
say no.

Scott Kitterman


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

> On Monday 23 August 2004 11:53 am, Koen Martens wrote:

> I don't think that bouncing to the FROM is necessarily a bad thing
> anymore.

I do.

Vic.

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Monday 23 August 2004 12:14 pm, Benjamin Zachary wrote:
> Maybe you can switch to an ISP that allows inbound SMTP, bellsouth.net
> DSL in Florida (where I am) allows us all flexibility to send/receive on
> smtp/25, whereas Earthlink forces you to redirect.

I am with Bellsouth in Atlanta. If you are currently getting smtp/25, you
will likely lose it at some point. Bellsouth told me that they were shutting
it down for all residential DSL connections. They have already done that for
Atlanta.
--
Bryan Phinney

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Monday 23 August 2004 12:07 pm, Benjamin Zachary wrote:
> Im not sure if that's totally accurate you should probably look at the
> header info to see how its being relayed in. People send mail through
> smart hosts all the time but the SENDER IP is always still there along
> with the SENDERS domain. Unless easydns is rewriting the mail header?!
> It should be accurate.

Senders IP and domain are listed which works for filtering after you get the
message but since the connecting IP is the relay server, my MTA always sees
that as valid since they are authorized to inject mail into my server.

I think that I pretty much knew the answer to this before I asked but wanted
to make sure I wasn't being particularly clueless and missing something
obvious.
--
Bryan Phinney

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Monday 23 August 2004 06:30 pm, Vic wrote:
> > On Monday 23 August 2004 11:53 am, Koen Martens wrote:
> >
> > I don't think that bouncing to the FROM is necessarily a bad thing
> > anymore.
>
> I do.

Well, I reject for invalid recipients already. I get perhaps 2-3 spams per
week currently and most of those are going to the admin accounts on the box
which are handled by me. They would probably be rejected by SPF since I
suspect that they are forged. I really don't think that my contribution to
network congestion amounting to 2-3 messages per week is going to cause
significant damage to the Internet or any particular person. However, the
discussion is moot since I can't reject based on SPF criteria.
--
Bryan Phinney

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Monday 23 August 2004 12:23 pm, spf@kitterman.com wrote:

> As a current benificiary (or victim) of large numbers of from bounces due
> to spammers, let me say that I do NOT appreciate them.

First of all, I don't physically mail out bounces, I simply reject. My
assumption is that the relaying server sends a notification or bounce based
on the REJECT result. Since there are only one or two messages currently
arriving that are invalid based on SPF, I would prefer to REJECT with a
standard 55* code and let the server do what it wants with the result. If
that is not possible, I will just bitbucket them. At some point, I hope that
my relay mail server will start to reject based on SPF, and then this won't
be an issue at all.

If you had sent a legitimate message to my domain and misaddressed the
recipient, I assume you would want a bounce to let you know that the message
did not go through. I could be wrong, perhaps you would just prefer to
contact the person by telephone to confirm that they had gotten the message.
Either way, you get a bounce, either from the originating server telling you
the message was REJECTed, or from the relay server telling you the exact same
thing.

I could be wrong but I think that those are pretty standard for any large mail
gateway that must relay mail through to smaller individual mail servers.
Regardless of that, my personal domain is just that, a personal one that
servers a very small number of persons. Spam is a very minor problem and the
number of rejections that get sent are very small, amounting to 2-3 per week.
Trust me, my server is not possibly a major concern to you or anyone else in
any way. AOL, perhaps, Hotmail, Yahoo, certainly not me.

> If you want to do something with the data from SPF fail messages, don't
> send me a bounce in the hopes that I will invest my time in reporting it to
> someone. I won't. Invest your time in reporting the messages to your
> favorite IP based DNSBL. BTW, Spamcop (my personal favorite) will not take
> reports based on bounces. You got the spam, it's you who have to report
> it.

Since I can not reject messages based on SPF, you won't be getting any bounces
from me. However, if you think that reporting to DNSBL's are the answer, you
might want to check your own IP to see the result:

http://www.dnsstuff.com/tools/ip4r.ch?ip=68.48.133.222

Your IP is listed in Spews at level 1, SORBS, SPAMBAG and a few others. I
wouldn't think that someone whose IP is listed in several DNSBL's would be a
fan of black lists but I could be wrong. However, given the level of
listings on your IP, I wouldn't think that bounces from spammers forging the
From would be your biggest problem.
--
Bryan Phinney

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

> -----Original Message-----
> From: owner-spf-help@v2.listbox.com
> [mailto:owner-spf-help@v2.listbox.com]On Behalf Of Bryan Phinney
> Sent: Tuesday, August 24, 2004 8:13 AM
> To: spf-help@v2.listbox.com
> Subject: Re: [spf-help] SPF, Postfix and smarthosting
>
>
> On Monday 23 August 2004 12:23 pm, spf@kitterman.com wrote:
>
> > As a current benificiary (or victim) of large numbers of from
> bounces due
> > to spammers, let me say that I do NOT appreciate them.
>
> First of all, I don't physically mail out bounces, I simply reject. My
> assumption is that the relaying server sends a notification or
> bounce based
> on the REJECT result. Since there are only one or two messages currently
> arriving that are invalid based on SPF, I would prefer to REJECT with a
> standard 55* code and let the server do what it wants with the
> result. If
> that is not possible, I will just bitbucket them. At some point,
> I hope that
> my relay mail server will start to reject based on SPF, and then
> this won't
> be an issue at all.

As I understand it, to reject during the actual SMTP session is not a
problem since you are communicating with the actual SMTP server that is
sending the message. If it's a spammer/zombie, I am very unlikely to ever
see a reject message because of that.

However, when you reject to your upstream SMTP server (which is not the one
that sent the message), where do they send the reject? I believe I'll get
that one.

>
> If you had sent a legitimate message to my domain and misaddressed the
> recipient, I assume you would want a bounce to let you know that
> the message
> did not go through. I could be wrong, perhaps you would just prefer to
> contact the person by telephone to confirm that they had gotten
> the message.
> Either way, you get a bounce, either from the originating server
> telling you
> the message was REJECTed, or from the relay server telling you
> the exact same
> thing.

Yes, of course. Perhaps I wasn't clear. I meant that if you accept a
message and then bounce it because of an SPF fail, then that means that you
will be guaranteed to be sending me a bounce for a message I didn't send.

The only exception to that would be if I had a misconfigured SPF record. In
that case, the first time I send to an SMTP server doing SPF checking during
the SMTP session, I'll get the reject since I sent it. Since you are
downstream in the process, the only way that you can inform me of a problem
in my SPF record is to also tell me every time you get a forgery. Please
don't. I get plenty of those every day.
>
> I could be wrong but I think that those are pretty standard for
> any large mail
> gateway that must relay mail through to smaller individual mail servers.
> Regardless of that, my personal domain is just that, a personal one that
> servers a very small number of persons. Spam is a very minor
> problem and the
> number of rejections that get sent are very small, amounting to
> 2-3 per week.
> Trust me, my server is not possibly a major concern to you or
> anyone else in
> any way. AOL, perhaps, Hotmail, Yahoo, certainly not me.

No, your domain specifically isn't a concern, my comment was more intended
for people reading the list (and the archives) to try and figure out how to
run SPF. One domain doing it the way you suggest isn't an issue. If
everyone did it that way, then it would defeat one of the major benifits of
SPF for the domain owner.
>
> > If you want to do something with the data from SPF fail messages, don't
> > send me a bounce in the hopes that I will invest my time in
> reporting it to
> > someone. I won't. Invest your time in reporting the messages to your
> > favorite IP based DNSBL. BTW, Spamcop (my personal favorite)
> will not take
> > reports based on bounces. You got the spam, it's you who have to report
> > it.
>
> Since I can not reject messages based on SPF, you won't be
> getting any bounces
> from me. However, if you think that reporting to DNSBL's are the
> answer, you
> might want to check your own IP to see the result:
>
> http://www.dnsstuff.com/tools/ip4r.ch?ip=
>
> Your IP is listed in Spews at level 1, SORBS, SPAMBAG and a few
> others. I
> wouldn't think that someone whose IP is listed in several DNSBL's
> would be a
> fan of black lists but I could be wrong. However, given the level of
> listings on your IP, I wouldn't think that bounces from spammers
> forging the
> From would be your biggest problem.
>
That would be interesting except that the IP address that you listed is the
address of my cable modem. Not the address of the SMTP server I've sent the
message from.

Yes, I've looked. All those listings are either because the IP is near an
IP that spammed or because it's a dynamic IP. If I was planning on running
my own MTA, I would be worried. Since I'm not, it really doesn't matter.

BTW, you were the one who suggested that I'd like to get the bounce so I
could report it under CAN-SPAM. DNSBLs aren't perfect (I wouldn't even say
they are good, just better than the alternatives), but the notion that
CAN-SPAM is going to affect anything is a bit odd. As a domain owner that
does not provide e-mail services to anyone, I do not believe that I even
have standing under CAN-SPAM to make a complaint.

So, to bring this back on topic, just a little, as a domain owner, SPF is a
good vehicle for me to protect my reputation once RHSBLs get going and
(hopefully) to cut down on the blow back from forgers a bit in the mean
time.

Scott Kitterman

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Tuesday 24 August 2004 08:34 am, spf@kitterman.com wrote:

> As I understand it, to reject during the actual SMTP session is not a
> problem since you are communicating with the actual SMTP server that is
> sending the message. If it's a spammer/zombie, I am very unlikely to ever
> see a reject message because of that.
>
> However, when you reject to your upstream SMTP server (which is not the one
> that sent the message), where do they send the reject? I believe I'll get
> that one.

If it was the From in the body of the message, I don't think that you will get
anything. If it was the From that was sent as the mail header, I do think
that you will get that one.

> > Either way, you get a bounce, either from the originating server
> > telling you
> > the message was REJECTed, or from the relay server telling you
> > the exact same
> > thing.
>
> Yes, of course. Perhaps I wasn't clear. I meant that if you accept a
> message and then bounce it because of an SPF fail, then that means that you
> will be guaranteed to be sending me a bounce for a message I didn't send.

Or one that you did send in the case of a recipient does not exist REJECT.
Either way, you end up getting a bounce, either from the originating server
or sent back from the relay server. I don't think that there is any way for
you to get one but not the other.

Again, most of this is merely academic since there is no way to REJECT based
on SPF if the mail is accepted by a relay. But, in the case of invalid
recipient, the end result is the same. The only other way for me to
configure the server is to accept all recipients and then trash them
directly, in which case, you get no notification if you mis-addressed a
recipient.

So, which would be the preferred configuration for the rest of the Internet?
Reject with 55* or simply accept all mail and /dev/null it?

> Please don't. I get plenty of those every day.

That is academic. But if a spammer does a spam run against dictionary lists
on my server, do I REJECT or simply /dev/null everything in which case the
one message you sent doesn't get a return notification?

If my server started getting hundreds of hits from a spammer, I would probably
stop rejecting and start /dev/nulling since it would be obvious what was
happening. In the case of one or two mails, I currently prefer to reject
which means that a notification is probably sent out.

> No, your domain specifically isn't a concern, my comment was more intended
> for people reading the list (and the archives) to try and figure out how to
> run SPF. One domain doing it the way you suggest isn't an issue. If
> everyone did it that way, then it would defeat one of the major benifits of
> SPF for the domain owner.

I figure that there aren't that many people dealing with my current
restriction on smtp/25 incoming blocked. Even if outgoing was blocked but
incoming was allowed, I would still be able to operate an MTA without any
relay. I do think it is braindead for an ISP to block incoming port 25 since
that is not contributing anything to the spam problem, but there you have it.

--
Bryan Phinney

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

I am curious as to why many of the email I receive from the list request a
read confirmation. Are people trying to harvest email addresses?

Has anybody else seen this? Can this be blocked?

Please excuse my paranoia if unfounded.

Regards,

John

-----Original Message-----
From: owner-spf-help@v2.listbox.com [mailto:owner-spf-help@v2.listbox.com]
On Behalf Of Bryan Phinney
Sent: Tuesday, August 24, 2004 6:40 AM
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] SPF, Postfix and smarthosting

On Tuesday 24 August 2004 08:34 am, spf@kitterman.com wrote:

> As I understand it, to reject during the actual SMTP session is not a
> problem since you are communicating with the actual SMTP server that is
> sending the message. If it's a spammer/zombie, I am very unlikely to ever
> see a reject message because of that.
>
> However, when you reject to your upstream SMTP server (which is not the
one
> that sent the message), where do they send the reject? I believe I'll get
> that one.

If it was the From in the body of the message, I don't think that you will
get
anything. If it was the From that was sent as the mail header, I do think
that you will get that one.

> > Either way, you get a bounce, either from the originating server
> > telling you
> > the message was REJECTed, or from the relay server telling you
> > the exact same
> > thing.
>
> Yes, of course. Perhaps I wasn't clear. I meant that if you accept a
> message and then bounce it because of an SPF fail, then that means that
you
> will be guaranteed to be sending me a bounce for a message I didn't send.

Or one that you did send in the case of a recipient does not exist REJECT.
Either way, you end up getting a bounce, either from the originating server
or sent back from the relay server. I don't think that there is any way for

you to get one but not the other.

Again, most of this is merely academic since there is no way to REJECT based

on SPF if the mail is accepted by a relay. But, in the case of invalid
recipient, the end result is the same. The only other way for me to
configure the server is to accept all recipients and then trash them
directly, in which case, you get no notification if you mis-addressed a
recipient.

So, which would be the preferred configuration for the rest of the Internet?

Reject with 55* or simply accept all mail and /dev/null it?

> Please don't. I get plenty of those every day.

That is academic. But if a spammer does a spam run against dictionary lists

on my server, do I REJECT or simply /dev/null everything in which case the
one message you sent doesn't get a return notification?

If my server started getting hundreds of hits from a spammer, I would
probably
stop rejecting and start /dev/nulling since it would be obvious what was
happening. In the case of one or two mails, I currently prefer to reject
which means that a notification is probably sent out.

> No, your domain specifically isn't a concern, my comment was more intended
> for people reading the list (and the archives) to try and figure out how
to
> run SPF. One domain doing it the way you suggest isn't an issue. If
> everyone did it that way, then it would defeat one of the major benifits
of
> SPF for the domain owner.

I figure that there aren't that many people dealing with my current
restriction on smtp/25 incoming blocked. Even if outgoing was blocked but
incoming was allowed, I would still be able to operate an MTA without any
relay. I do think it is braindead for an ISP to block incoming port 25
since
that is not contributing anything to the spam problem, but there you have
it.

--
Bryan Phinney

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

I think this will be my final post for today, so enjoy it :)

On Tue, Aug 24, 2004 at 09:39:43AM -0400, Bryan Phinney wrote:
>
> [...]
>
> Or one that you did send in the case of a recipient does not exist REJECT.
> Either way, you end up getting a bounce, either from the originating server
> or sent back from the relay server. I don't think that there is any way for
> you to get one but not the other.
>
> [...]
>
> That is academic. But if a spammer does a spam run against dictionary lists
> on my server, do I REJECT or simply /dev/null everything in which case the
> one message you sent doesn't get a return notification?
>
> [...]
>

Just REJECT, the spammer is not very likely to generate a bounce message
to the address he himself forged, nor is the virus that forges adresses.

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

How does one file a complaint with CSN-SPAM? :-)
--
Steve

On Mon, 23 Aug 2004, Bryan Phinney wrote:

> On Monday 23 August 2004 11:53 am, Koen Martens wrote:
>
> I don't think that bouncing to the FROM is necessarily a bad thing
anymore.
> It lets someone know that they are being forged so that they can file a
> complaint through CAN-SPAM, at the least, it notifies them so that they can
> setup SPF records for themselves.
>

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com