Domain: infinitepenguins.net
Stories and comments across the archive that link to infinitepenguins.net.
Comments · 12
-
Re:Publish SPF now, be the 126519th...Actually, I have a list of around 650,000 domains in
.COM, .NET and .ORG that have SPF records. These should show up in the SPF Adoption Roll Real Soon Now. Surveys of the .DE and .FR TLDs have also been done, but I don't have the results of those.I'd like to know how many of those domaines actually are applying effective policies.
In the survey of the
.COM domains, I found the top ten SPF records to be:159416 "v=spf1 mx -all"
147883 "v=spf1 -all"
51245 "v=spf1 ip4:10.0.0.0/24 ip4:10.0.0.0/24 ?all"
28206 "v=spf1 a:smtp.example.net -all"
21437 "v=spf1 mx ip4:10.0.0.0/19 ~all" ""
19733 "v=spf1 mx ~all"
15245 "v=spf1 a:smtp.example.com ~all"
9488 "v=spf1 ip4:10.0.0.0/24 mx -all"
6371 "v=spf1 ip:10.0.0.0/24 ip:10.0.0.0/27 ip:10.0.0.0/24 ip:10.0.0.0/27 ip:10.0.0.0/27 ip:10.0.0.0/27 ip:10.0.0.0/27 ip:10.0.0.0/27 ?all"
5842 "v=spf1 ip4:10.0.0.0/24 -all"
(I have munged the domain names and IP addresses for privacy reasons.)As you can see, it is very common to define strict SPF record with the "-all" at the end. Those domains that use the softfail option of "~all" are somewhat more lax, but still moving in the right direction.
The complete survey results are available to people who follow the IETF MARID list and/or the SPF discuss list. I'm not going to post a link to them here 'cause I don't want to be slashdotted.
-
Publish SPF now, be the 126519th...If you want to advocate SPF, publish a SPF record for your domain, and then register it. Already, 126518 domains have published SPF records (at the time of this writing).
By the time the FTC's summit comes around, it's looking like SPF is going to be pretty well established.
-
Re:Missing from the rejection notices...
It doesn't take much digging to find out. The ASF is still supporting Meng Wong's "Classic SPF" via a plugin in SpamAssassin, I'd assume something similar will apply to JAMES. I don't see any licensing concerns that would stop Debian and the rest adopting a similar stance. Also, since Classic SPF is appears to be gaining momentum at a considerable rate, even if it is most by spammers, it would be sensible to discard all that effort in the official standard.
-
Spammers don't send their spamSpammers don't send spam, unpatched windows boxes do. Loads of folk here must be getting calls form folk saying "my net connection's slow" you take a look and the machine is infested.
All this means is that, as well as the net connection being slow, the processor will be running overtime calculating the checksums. The spammers will send as many emails as ever.
SPF has to be one of the easiest measures we can take to reduce spam. Spamassassin is about to hit 3.0 RC1 and many more of us will be able to easily associate scores with SPF records. As soon as mail has to originate from the correct domain we get better spam checking and a paper trail for the authorities to follow. If you don't have SPF records for your domain, head on over here or here and set them up.
-
DogfoodI'll believe Microsoft is serious about their Caller-ID when they actually implement it for their own domain name.
paul@preston ~ > host -t txt microsoft.com
paul@preston ~ > host -t txt hotmail.comNo responses! Compare to SPF:
paul@preston ~ > host -t txt aol.com
aol.com text "v=spf1 ip4:152.163.225.0/24 ip4:205.188.139.0/24 ip4:205.188.144.0/24 ip4:205.188.156.0/24 ip4:205.188.157.0/24 ip4:205.188.159.0/24 ip4:64.12.136.0/24
ip4:64.12.137.0/24 ip4:64.12.138.0/24 ptr:mx.aol.com ?all"
paul@preston ~ > host -t txt pobox.com
pobox.com text "v=spf1 mx mx:fallback-relay.pobox.com a:smtp.pobox.com a:emerald.pobox.com ?all"
paul@preston ~ > host -t txt livejournal.com
livejournal.com text "v=spf1 a mx ip4:66.150.15.140 ?all"Here is the real reason Microsoft had to publish their Caller-ID spec now!
Before replying with "those 7500 domains are tiny", AOL is publishing a SPF record NOW. Microsoft is not publishing their own Caller-ID record yet.
-
SPF Adoption Roll
here's a glimpse into the growing popularity of SPF:
SPF Adoption Roll
anyone have any info on quantifiable interest for either DMP or RME/RMX? -
Publish SPF records
Don't forget to publish SPF records for your domain if you have the ability to do so. If you have already done so, please register your domain via the validator.
-
Re:It's not a matter of A or BSPF is easy to defeat.
How?
SMTP uses TCP, which requires a round trip packet exchange to simply establish the connection begore any data is exchanged. So the receiving MTA definately knows the senders IP number.
DNS can be spoofed, but that is a difficult and risky attack for spammers. It's pretty safe to assume that 99% of DNS lookups performed to obtain SPF records will receive the information published by the domain name owner, and not a spoofed response from the spammer.
If the IP matches one that the domain's DNS says is authorized to send, then it's a pretty strong indication that the email is not forged.
Remember than SPF (and other authentication proposals) stop forgey, not spam directly. It only hurts spammers by making forgey much more difficult.
Plus, it has non-trivial deployment issues
Really?
Fill out the web-based SPF Publisher Wizard, and then copy the result into your DNS zone file. No new server software to install or update, no changes to email clients, no email server configuration changes, nothing to download. Looks pretty trivial to me (I did it for my site in just a few minutes).
Now, if you have no idea what machines transmit email for your domain, then you won't know how to fill out the form. But if your domain's email configuration is that uncontrolled or unknown... you've got much larger problems.
and a set of drawbacks associated with it
Yes, please explain?
Thousands of sites don't seem to share your view, including AOL:
paul@preston ~ > host -t txt aol.com
aol.com text "v=spf1 ip4:152.163.225.0/24 ip4:205.188.139.0/24 ip4:205.188.144.0/24 ip4:205.188.156.0/24 ip4:205.188.157.0/24 ip4:205.188.159.0/24 ip4:64.12.136.0/24 ip4:64.12.137.0/24 ip4:64.12.138.0/24 ptr:mx.aol.com ?all" -
Re:Good move...a solution that is available and 50% effective is better than a solution that no one has implemented yet.
You are absolutely correct.
Sender Permitted From (SPF) is indeed already available and implemented. Yahoo's DomainKeys is not implemented, and a spec has not yet even been published.
In a nutshell, SPF is a way to publish a DNS record that tells other sites what machines transmit email from your domain name. It's a pretty flexible system (detailed info at the SPF site).
Lets get the implementations out there in the wild and use the feedback to create real solutions!
Obviously you missed the article last week that AOL published a SPF record for 24 hours last Friday, for initial testing and to collect feedback. It appears they were pleased with the results, since they have turned it back on as of today.
AOL is not the only site. In fact, as of today, 3575 sites have published SPF records. My own site is among them.
If you, dead reader, happen to control the DNS for your own site, please consider adding a SPF record. It's very easy to do with the web-based SPF Publisher Wizard.
-
Re:How does this reduce spam in any shape or form?The big ones (yahoo, hotmail) are on board already; that's going to put some fierce pressure on ISPs to use this.
Are they? I don't see any txt records for hotmail nor yahoo, and the checking tool" doesn't see them eighter.
-
Re:Adoption Rate173 parse with errors
Ahm, I've just added my domain, was easy to do with the SPF wizzard, you just answer the questions, and it tells you what to enter into you bind config files. (And even explains what it means you're adding). But then, going back to the checking tool you mention, I get this:
Domain: uea.org
Record Found: "v=spf1 a a:co.uea.org include:cistron.nl -all"
Errors: Malformed or truncated domain 'co.uea.org' in 'a' declaration in rule part 3 (a:co.uea.org)
Malformed or truncated domain 'cistron.nl' in 'include' declaration in rule part 4 (include:cistron.nl)
No Warnings
No Notes
So I guess the checking tool is somewhat too strict (or the wizzard is sloppy.).
explains the reported errors, though. -
Adoption Rate
I know I'm going to put the SPF records in as soon as I get a chance, but these statistics aren't terribly optimistic so far:
http://www.infinitepenguins.net/SPF/register.php
This system serves to monitor the take-up of SPF. So far, 274 domains with SPF records are known.
As yet, only a count of registered domains is displayed; more analysis tools will appear once the number of domains increases.
Of these:
84 parse cleanly
0 parse with warnings
173 parse with errors
17 are yet to be checked by this system