[afnog] Re: AOL rejecting hosts with no rDNS?

Alan Barrett apb at cequrux.com
Tue Jun 29 10:56:02 EAT 2004 

On Tue, 29 Jun 2004, Brian Candler wrote:
> If I am a spammer and I send through (let's say) AOL, SPF lets me send
> out MAIL FROM:<> any domain which permits AOL's mail relays as its
> sender.

Yes.  So, as the manager of the foo.example domain, I can prevent you
from sending mail through AOL's mail relays that purports to be from
anybody at foo.example.

> So I can send out:
> 
>    -  MAIL FROM:<>
>    -  MAIL FROM:<anyrandomuser at aol.com>
>    -  MAIL FROM:<anyuser at domain>  where domain belongs to a AOL customer
>    -  MAIL FROM:<anyuser at domain>  where domain does not list SPF policy

Since this is (hypothetically) going through AOL's relays, AOL can
impose much stricter limits than are implied by the SPF records.

> I'm sure there are plenty of people like me who think that SPF is a
> stupid idea, but even if I decide not to implement it, people who *do*
> implement it will break my mail.

If you are sending mail that purports to be from a user @ a domain that
you control, then just do nothing, and the absence of SPF records will
cause your mail to not be blocked (at least, not yet).

If you are sending mail that purports to be from a user @ a domain that
you do not control, then SPF records allow the controller of that domain
to publish SPF records that request other people to block your mail.  If
the domain's controller makes such a request by mistake, then ask them
to fix their mistake.

If you use an email address in the ${emailprovider} domain, and if the
people in charge of that domain say "starting from ${date}, all mail
purporting to be from ${username}@${emailprovider} must be relayed
through our servers and authenticated using ${authmethod}.  We will
publish SPF records that have the intent of blocking mail that does not
satisfy this policy", then you have to comply with their policy, or stop
using them as your email provider, or fight them (possibly in court).

> That's just incredibly impolite.

Well, yes, maybe it would be incredibly impolite if your email service
provider published SPF records in a way that broke your mail.  But don't
blame anybody other than your email service provider for that.

> Now, if SPF stood a chance in a million of reducing spam, breaking my
> mail might be worth it, but it doesn't.

SFP stands a change of reducing joe jobs.  Your email service provider
has an interest in making it difficult fopr people to forge their domain
name in joe jobs.

> I have not yet seen a coherent view of "the end game"

Nor have I.

--apb (Alan Barrett)

More information about the afnog mailing list