[119991] in North American Network Operators' Group
Re: SPF Configurations
daemon@ATHENA.MIT.EDU (Sean Donelan)
Mon Dec 7 09:31:47 2009
Date: Mon, 7 Dec 2009 09:30:24 -0500 (EST)
From: Sean Donelan <sean@donelan.com>
To: Bill Stewart <nonobvious@gmail.com>
In-Reply-To: <18a5e7cb0912062225u153c73cfkf6a5667a45b2791@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sun, 6 Dec 2009, Bill Stewart wrote:
> On Sun, Dec 6, 2009 at 2:56 PM, Sean Donelan <sean@donelan.com> wrote:
>> In particular, what anti-forgery/security controls should network operators
>> implement and check; and what anti-forgery/security controls should network
>> operators not implement or check?
>
> Depends a bit on whether you're counting inbound-mail-service
> operators as network operators.
Because this is NANOG, I was scoping it to be just layer 0 to 4. Leaving
the application and above layer discussions to other places.
I would love to know how the marketplace wants to handle "Official Mail,"
but I'm not expecting useful answers here.
> As an end user who doesn't have an account at Bank of America, I'd be
> happy if bankofamerica.com used SPF records so my mail system could
> discard forged spam from them; that's much different than the kind of
> forgery prevention I want for my actual bank. (And obviously SPF
> isn't going to stop mail from bank0vamer1ca.cm etc., but it can cut
> down some of the noise and leave the rest for Spamassassin.)
Like most things, scaling is the only problem. Your Bank is different
from My Bank, and His Bank and Her Bank, and so on. Throw in multiple
middle-parties, i.e. the NSP, ISP, MSP, ESP, etc; and the problem becomes
very difficult. And that's before adding the problem the real Your Bank
(or their marketing partners, or their compromised PCs) may also send
stuff you don't want.
Network operations probably aren't going to solve those problems. And
lots of other places like to discuss them.
So instead, what things should network operators be expected to solve?
If you can't trust routing, can you trust DNS? If you can't trust DNS,
can you trust things using DNS? If you can't trust ???, can you trust ???
