IETF Logo Mail Archive

Re: [spfbis] Local macros strike again, was Suggestion...

Hector Santos <hsantos@isdg.net> Sat, 14 January 2012 01:42 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 944C321F860E for <spfbis@ietfa.amsl.com>; Fri, 13 Jan 2012 17:42:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.142
X-Spam-Level:
X-Spam-Status: No, score=-2.142 tagged_above=-999 required=5 tests=[AWL=0.457, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zYchuC7Ux39e for <spfbis@ietfa.amsl.com>; Fri, 13 Jan 2012 17:42:54 -0800 (PST)
Received: from listserv.winserver.com (mail.winserver.com [208.247.131.9]) by ietfa.amsl.com (Postfix) with ESMTP id 2626921F860D for <spfbis@ietf.org>; Fri, 13 Jan 2012 17:42:53 -0800 (PST)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=4156; t=1326505364; h=Received:Received: Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=r1/n8v7xKJAV8+h47Kxh20H+g10=; b=MmTGl3DmJ2DDUPFesId1 qfLZG0pXvPJ8lJUWwsE3/uhStSfKZrJHGiuKOiFgKOMKwlvS3wDp9ve8JWPpaUlt JM/iqIU3yBT0VhhnPlngapj8xf5/pRWsc2ZbuJ/nu1KfoEA+RsMwr0Q3aj6/s85K hfO/XahaobogpxRqTfxf0Ow=
Received: by winserver.com (Wildcat! SMTP Router v6.4.454.1) for spfbis@ietf.org; Fri, 13 Jan 2012 20:42:44 -0500
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com;
Received: from beta.winserver.com ([208.247.131.23]) by winserver.com (Wildcat! SMTP v6.4.454.1) with ESMTP id 4002214949.36383.3656; Fri, 13 Jan 2012 20:42:43 -0500
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4156; t=1326505188; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=+v+tdpo 83O09AmX/xDECSG2/iAhLp62IMdIPdCE/RjU=; b=AQxsskauF0blIY4+OAFeAkC 3GJWYGniHlzdpAOS5Y/5aHy97jQUNond2/f6OeJeIZeCqP3FTcbC8zn64vFG7M4c 86Geolbg91B/8nP/W5FlWGl86S23tYfJjFGPE0j/uCQL1zizAAfmtqEm167Z7WVs oaGo88Xej1TEFv4XqCD8=
Received: by beta.winserver.com (Wildcat! SMTP Router v6.4.454.1) for spfbis@ietf.org; Fri, 13 Jan 2012 20:39:48 -0500
Received: from [192.168.1.101] ([99.3.147.93]) by beta.winserver.com (Wildcat! SMTP v6.4.454.1) with ESMTP id 306210829.5019.2680; Fri, 13 Jan 2012 20:39:47 -0500
Message-ID: <4F10DD94.8040905@isdg.net>
Date: Fri, 13 Jan 2012 20:42:44 -0500
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: spfbis@ietf.org
References: <F5833273385BB34F99288B3648C4F06F19C6C15673@EXCH-C2.corp.cloudmark.com> <4EF8F336.8080508@gathman.org> <F5833273385BB34F99288B3648C4F06F19C6C1569C@EXCH-C2.corp.cloudmark.com> <1590867.1quv5UxKKV@scott-latitude-e6320> <4EFCB88A.1080104@mail-abuse.org> <4EFE6F39.90000@isdg.net> <4F0358CC.6030505@mail-abuse.org> <4F03775B.4050905@isdg.net> <4F04E292.9030502@mail-abuse.org> <4F04FB1C.7070302@isdg.net> <4F060E74.2070103@cisco.com> <4F063F09.3030900@isdg.net> <4F06884D.2070509@mail-abuse.org> <4F082861.5080803@tana.it> <4F09269C.6090402@isdg.net> <4F0B0035.3050106@cisco.com> <4F0C9777.1090904@mail-abuse.org> <4F0C9E61.1010306@cisco.com> <4F0DD063.5090103@tana.it> <4F0E0A7E.1040905@isdg.net> <Pine.GSO.4.62.1201111726390.13909@spaz.oit.wmich.edu> <4F10BEED.7050207@mail-abuse.org>
In-Reply-To: <4F10BEED.7050207@mail-abuse.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [spfbis] Local macros strike again, was Suggestion...
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spfbis>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Jan 2012 01:42:55 -0000

Douglas Otis wrote:

> Dear Hector,
> 
> This was simply explaining the impact caused by a change Wayne Schlitt 
> made to host name limits in his SPF library.  He restricted the number 
> of host names resolved to 5.  This caused a problem for t-online.de who 
> never published SPF records but were subjected to "default" SPF records 
> such as "a mx/24" and that had 8 hosts in their MX RRset, for example. :^(

Doug,

Since I'm not familiar with the idea of a "default" SPF record, I 
don't quite understand why a receiver would applied a "SPF default" to 
a domain that did make any SPF explicit declaration. Why would you not 
expect to see problems with this?  If this part of the specification?

That said, what we have (in our package) is a macro-based filtering 
language that includes a macro called DIP for DOMAIN::IP association. 
Its a lightweight LMAP rule that sysops can add to their filters.   We 
recommend to add them for KNOWN transactions that do not have SPF 
records and only do so if its clear to them that a DIP would 
accurately apply.  These are the DIP rules I have added over the years 
for our SMTP server:

;------------------------------------------------------------
Reason DIP whitelisted
;------------------------------------------------------------

accept if %DIP% = above.proper.com[208.184.76.39]
accept if %DIP% = bbsnets.com[66.8.157.90]
accept if %DIP% = dlois.com[216.220.225.104]
accept if %DIP% = fbg.collection.com[71.40.6.42]
accept if %DIP% = fbg.collection.com[71.40.6.43]
accept if %DIP% = hello.sd.dreamhost.com[66.33.201.150]
accept if %DIP% = ietf.org[132.151.6.22]
accept if %DIP% = imc.org[208.184.76.39]
accept if %DIP% = isdg.net[208.247.131.9]
accept if %DIP% = jck.com[209.187.148.211]
accept if %DIP% = lists.dsafe.org[66.33.206.23]
accept if %DIP% = lists.php.net[216.92.131.4]
accept if %DIP% = lists.xml.org[209.202.168.102]
accept if %DIP% = lists.xml.org[209.202.168.106]
accept if %DIP% = mail.imc.org[207.182.41.81]
accept if %DIP% = mail.imc.org[208.184.76.39]
accept if %DIP% = mail.songbird.com[72.52.113.17]
accept if %DIP% = maximus.com[12.150.181.2]
accept if %DIP% = mmx.engelschall.com[195.27.130.252]
accept if %DIP% = nic.fr[192.134.7.248]
accept if %DIP% = orgill.com[204.118.96.135]
accept if %DIP% = republico.estv.ipv.pt[193.137.7.30]
accept if %DIP% = tbsp.com[173.196.180.194]
accept if %DIP% = tclbbs.com[68.252.52.41]
accept if %DIP% = tclbbs.com[68.252.52.42]
accept if %DIP% = tclbbs.com[68.252.52.43]
accept if %DIP% = tclbbs.com[68.252.52.44]
accept if %DIP% = tclbbs.com[68.252.52.45]
accept if %DIP% = tclbbs.com[68.252.52.46]
accept if %DIP% = v2.listbox.com[207.8.214.5]
accept if %DIP% = v2.listbox.com[207.8.214.6]
accept if %DIP% = v2.listbox.com[208.58.1.195]
accept if %DIP% = wingate.com[202.180.113.230]
accept if %DIP% = ww-bbs.com[63.168.37.2]
accept if %DIP% = www1.ietf.org[132.151.6.22]

Note, these are ACCEPTS, so there is no harm per se compared to DIP 
Reject rules.

Similarly, for EHLO/HELP LMAP checks, we provide active examples in 
the default filter script file for rules that apply to us:

;------------------------------------------------------------
Reason HELO/EHLO mismatch
;------------------------------------------------------------

; The following rules basically says that only the machine
; at 208.247.131.* are allowed to use the domains listed
; as part of the HELO/EHLO command.   These are specifically
; for SSI. You should add your own domains with the IP address
; of where WCSMTP is running using similar rejection rules.

Reject if .santronics.com  in .%CDN% and %CIP% !in 208.247.131.*
Reject if .winserver.com   in .%CDN% and %CIP% !in 208.247.131.*
Reject if .isdg.net        in .%CDN% and %CIP% !in 208.247.131.*
Reject if .catinthebox.net in .%CDN% and %CIP% !in 208.247.131.*

Again these "default", SPF-like rules SHOULD only applied where there 
is precise knowledge.  I can't envision a general "SPF Default" rule 
applicable to all non-SPF domains.  Is there such a thing?

-- 
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

v2.23.0 | Report a Bug | By Email