Re: [Asrg] What are the IPs that sends mail for a domain?

John Leslie <john@jlc.net> Wed, 01 July 2009 15:02 UTC

Return-Path: <john@jlc.net>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6A28B3A6F49 for <asrg@core3.amsl.com>; Wed, 1 Jul 2009 08:02:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.362
X-Spam-Level:
X-Spam-Status: No, score=-6.362 tagged_above=-999 required=5 tests=[AWL=0.237, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L2fQ8uKjrXpE for <asrg@core3.amsl.com>; Wed, 1 Jul 2009 08:02:34 -0700 (PDT)
Received: from mailhost.jlc.net (mailhost.jlc.net [199.201.159.9]) by core3.amsl.com (Postfix) with ESMTP id 73BAC28C5B9 for <asrg@irtf.org>; Wed, 1 Jul 2009 08:00:44 -0700 (PDT)
Received: by mailhost.jlc.net (Postfix, from userid 104) id 7968733CD2; Wed, 1 Jul 2009 11:00:32 -0400 (EDT)
Date: Wed, 1 Jul 2009 11:00:32 -0400
From: John Leslie <john@jlc.net>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Message-ID: <20090701150032.GB15652@verdi>
References: <mailman.5.1245610801.29559.asrg@irtf.org> <4A3F76B8.2030409@terabites.com> <BBBA1F6A3752AE7B96888ECB@lewes.staff.uscs.susx.ac.uk> <4A48FB80.10709@billmail.scconsult.com> <800E7AE85B690B4BAC93F2CD@seana-imac.staff.uscs.susx.ac.uk> <20090630111105.GA12502@gsp.org> <DC4825E67EC4297FF587671B@seana-imac.staff.uscs.susx.ac.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <DC4825E67EC4297FF587671B@seana-imac.staff.uscs.susx.ac.uk>
User-Agent: Mutt/1.4.1i
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2009 15:02:35 -0000

Ian Eiloart <iane@sussex.ac.uk> wrote:
> 
> The point of SPF is to authenticate the sending domain.

   I don't believe SPF does any such thing. Domains can publish SPF RRs,
but those can't reasonably be said to "authenticate" anything, least of
all the "sending domain."

> If the IP address is authorised (by the domain owner) to send mail from
> the sender domain,

   That's closer... But I'd argue that no SPF construct "authorizes"
sending email. In practice, I think it's quite clear that SPF constructs
merely express probabilities.

> then bouncing mail into that domain isn't going to be causing backscatter, 
> unless the domain lacks internal controls over message submission.

   Of course, rather few domains other than corporate domains with
administrators more-than-average familiar with SMTP have reasonable
"internal controls over message submission". :^(

> If it does lack those internal controls, then the users of the domain
> can blame the domain owner.

   Indeed they can... does that actually accomplish anything?

> I guess there can also be issues where two distinct domains share the
> same outbound IP addresses, through an email service provider.

   Indeed, that is common...

> In that case, the email service provider is the responsible party that
> needs to be held to account.

   (which, BTW, is what CSV set out to do...)

> They need to ensure either (a) separation of domains by outbound IP
> address combined with accurate SPF records,

   Assuming they control either multiple IP addresses _or_ the SPF
records is risky. But even if they did, how would this lead to assigning
the responsibility correctly?

> or (b) proper implementation of MSA on all the domains that they
> provide service for.

   That is at least practial... But how does it lead to assigning the
responsibility correctly?

--
John Leslie <john@jlc.net>