SPF has been programmed to fail because its success was based on the hilarious assumption that it will be widely adopted. Nowadays, SPF_NEUTRAL test of the ubiquitous spamassassin has a score > 1, which must mean that spammers are trying to bypass spam filters by setting ~all in their TXT DNS record. I use my own MTA to send @g.o messages and I don't like having positive spam notes assigned to my messages just because some guys who don't grasp Internet ways thought they could solve spam problem. Just set "v=spf1 +all" in our TXT record. According to http://new.openspf.org/SPF_Record_Syntax, it means "the domain owner thinks that SPF is useless". This should be the TXT record for all widespread organizations like ours.
SPF is not useless and emails coming from @gentoo.org addresses should always be sent by mail.gentoo.org according to our policy (which you can relay with by using SMTP auth). The comment about SpamAssassin is irrelevant, SPF is not designed to directly fight spam and of course spammers are free to publish their own SPF domain. ANd by the way the fact that you have positive spam notes because you are not sending from our MTA means the system actually works on some degree proving the point in having it. Kurt please voice your opinion as well. Marking as WONTFIX in the meantime.
(In reply to comment #1) > SPF is not useless and emails coming from @gentoo.org addresses should always > be sent by mail.gentoo.org according to our policy (which you can relay with by > using SMTP auth). Huh? You mean this policy? <snip> Using dev.gentoo.org as a mail relay server Warning: Do not do this unless absolutely necessary. Please use your ISPs relay server whenever possible. If you need a relay-server desperately and have no other means of sending e-mails, you can use dev.gentoo.org as a relayserver. </snip> http://www.gentoo.org/proj/en/infrastructure/dev-email.xml#doc_chap2
I'm sure that's related to ! gentoo.org emails, we had some discussion about it within -infra. Kurt, please shed some light on this.
(In reply to comment #1) > SPF is not useless and emails coming from @gentoo.org addresses should always > be sent by mail.gentoo.org according to our policy (which you can relay with by > using SMTP auth). I agree. Spammers try to bypass spam filters by using ~all and, because of that, SpamAssassin have yet another rule in its arsenal. Therefore, is not useless. :-] > The comment about SpamAssassin is irrelevant, SPF is not designed to directly > fight spam and of course spammers are free to publish their own SPF domain. ANd > by the way the fact that you have positive spam notes because you are not > sending from our MTA means the system actually works on some degree proving the > point in having it. Really? "Neutral" means the owner of the domain don't say anything about the spamness of a message not passing through their official MTAs, which should be interpreted by the receiving party as having exactly 50% probability of being spam. If mail.g.o is the only MTA allowed to send @g.o messages, _why_ don't we have -all in TXT record? If ~all would be so useful and widely adopted by legitimate businesses, then please explain to me how the hell SpamAssassin gives such a big probability of being spam.
(In reply to comment #1) > SPF is not useless And I'd urge you to review http://homepages.tesco.net/J.deBoynePollard/FGA/smtp-spf-is-harmful.html Yes, it's not useless, it's even worse, it's actually harmful and broken in multiple ways...
(In reply to comment #4) > > Really? "Neutral" means the owner of the domain don't say anything about the > spamness of a message not passing through their official MTAs, which should be > interpreted by the receiving party as having exactly 50% probability of being > spam. If mail.g.o is the only MTA allowed to send @g.o messages, _why_ don't How's that neutral means "50%" probability ? Neutral means neutral, period. And the fact why it is netural it's because it would be wrong to set it to failsafe and/or something stronger since it's not widely implemented and we are in a testing phase. Also being neutral means that no one should care and that we are just giving a hint. The fact that spamassassin uses that for scoring even if it's neutral it's wrong of course but not our problem imho, and anyway it's a step in the right directions since gentoo.org messages should come from our MTA. If that's *not* the case (and I'm waiting kurt reply) then it would make sense to remove the record. > we have -all in TXT record? Because since it's now widely adopted putting -all would be idiotic. > If ~all would be so > useful and widely adopted by legitimate businesses, then please explain to me > how the hell SpamAssassin gives such a big probability of being spam. > Not my problem if SpamAssassin rules are brain damaged. And I never said that ~all is widely adopted by legitimate businesses (but actually it is).
(In reply to comment #5) > (In reply to comment #1) > > SPF is not useless > > And I'd urge you to review > http://homepages.tesco.net/J.deBoynePollard/FGA/smtp-spf-is-harmful.html > > Yes, it's not useless, it's even worse, it's actually harmful and broken in > multiple ways... > Already read, I could point out why that document is biased and it doesn't apply on our scenario but I don't have time for it. So sorry about it. Personally I completely agree that SPF is a fugly solution (I personally like DomainKeys but the problem is that it doesn't work very well for lots of reasons, but the concept is much better) but in our case if we decide to adopt the policy of having only our MTA sending gentoo.org emails then it's fine. Anyway I'm done with this topic so I delegate all decisions about this matter to Kurt which actually maintains mail.gentoo.org. Cheers
(In reply to comment #7) > but in our case if we decide to adopt > the policy of having only our MTA sending gentoo.org emails then it's fine. Ah... Locking people into Gentoo's own MTA is indeed a wonderful policy, got inspiration from the document I've linked above? :P So, - people who are behind restrictive firewalls will be screwed (think corporate environment) - people who have outgoing ports 25/587 redirected to ISP's mailserver will be screwed to (pretty commonplace now that ISPs try to prevent spam in various weird ways) - or those people will be forced to tunnel outgoing SMTP traffic via SSH, so that out SPF policy gets reinforced? - also, the mailserver is already overloaded at times and emails tend to arrive with many hours of delay on various occasions; this will certainly help to easy the load. - lots of other issues come to mind, by why waste my time. If you are serious about the policy, (I still can't believe that), then kindly submit such policy proposals to -dev ML for discussion. That will be a wonderful flamewar, we desperately need more of them, the list is already pretty boring... :X
(In reply to comment #8) > > > If you are serious about the policy, (I still can't believe that), then kindly I never said I'm serious about it, I said I thought this is where we would like to end up apparently. I don't remember the details of our -infra discussions about SPF adoption. I vaguely remember me and Kurt discussing it to put it to neutral and see what happens from there. So I'm all open for changes and that's why I'm waiting for Kurt comments. Hope this is fair enough for you. You might want to use your energy in this matter to bug SpamAssassin people and have them changing scoring based on a *neutral* setting which was placed there in order *not to* make any assumptions when starting to adopt this. There's nothing technically wrong in how SPF was adopted on gentoo.org, if socially we have to turn it down because other programmers/people cannot set spam rules sensibly so be it. Regarding your list of blockers re smtp relaying (which I already perfectly know) SSH tunneling should always be possible...but that's another discussion entirely which I really don't want to start.
(In reply to comment #6) > Not my problem if SpamAssassin rules are brain damaged. And I never said that > ~all is widely adopted by legitimate businesses (but actually it is). SpamAssassin rules are far from being brain damaged. Those rules have scores that were computed based on statistics. A score of 1.1 shows us that significant number of messages that pass under SPF_NEUTRAL rule are in fact spam messages. As I said a number of times, we are NOT a localised organization, one that could easily send its mail through a numerable set of MTAs. Lately I had to deal with an increased level of spam at work. I tried to solve it through SPF, but I quickly realised it will do exactly nothing as spam fighting tool. Instead, I've configured greylisting on my MTAs, with far better results than that idiocy we like to call it SPF (spam level has been decreased by 70-95% as opposed to mostly nothing in SPF's case). We cannot impose usage of smtp.g.o as the solely MTA available for us. You think SPF has a future and is generally a Good Thing? Fine, everyone is entitled to have an opinion, just don't set it for @g.o. It is pretty darn obvious we don't classify as potential users of such technology.
(In reply to comment #10) > (In reply to comment #6) > > Not my problem if SpamAssassin rules are brain damaged. And I never said that > > ~all is widely adopted by legitimate businesses (but actually it is). > > SpamAssassin rules are far from being brain damaged. Those rules have scores > that were computed based on statistics. A score of 1.1 shows us that > significant number of messages that pass under SPF_NEUTRAL rule are in fact > spam messages. Neutral means that we don't make any assumptions based on SPF results, SpamAssassin does it...SpamAssassin is wrong, no matter what statistics are out there. I'm not going *not* to use some words in the body of my email because SpamAssassin thinks it's statistically spam just like I'm not going to change SPF_NEUTRAL solely because of it. > As I said a number of times, we are NOT a localised organization, one that > could easily send its mail through a numerable set of MTAs. > > Lately I had to deal with an increased level of spam at work. I tried to solve > it through SPF, but I quickly realised it will do exactly nothing as spam > fighting tool. Instead, I've configured greylisting on my MTAs, with far better > results than that idiocy we like to call it SPF (spam level has been decreased > by 70-95% as opposed to mostly nothing in SPF's case). > Ahaha...greylisting is even more fscked up, but please let's not start this discussion. Anyway SPF has *nothing to do with spam* as I already said, it's purpose is entirely different. > We cannot impose usage of smtp.g.o as the solely MTA available for us. You No one is imposing anything yet, read my previous reply and you'll see why this is open to discussion and that we are waiting for Kurt's comment. So *please* stop bitching, you are not adding new information on this discussion. > think SPF has a future and is generally a Good Thing? Fine, everyone is > entitled to have an opinion, just don't set it for @g.o. It is pretty darn > obvious we don't classify as potential users of such technology. > Not obvious to me. Anyway, I'm not going to reply any further on this matter. *puff*
I'm not going to get into a pissing match about how widely SPF has or has not been adopted. I will simply state that my opinion differs from those expressed by some of the other people on this bug. While I appreciate that those folks might think a +all is better suited to our particular needs, again, I happen to disagree. I feel that the current solution has been in place for quite a while now and seems to work just fine. If it's not broken, etc. etc. Marking as wontfix.
(In reply to comment #6) > > > we have -all in TXT record? > > Because since it's now widely adopted putting -all would be idiotic. > For the records and sake of clarity the 'now' is a typo of 'not', meaning "since it's not 100% adopted putting -all would be quite harmful" (and accepted by our developers as a standard policy).
Okay, lets debate using non-inflamatory arguments, shall we? My arguments to use +all: - we are a widespread organization that cannot impose to its members what SMTP servers shall they use - ?all is used mostly by spammers in their quest to bypass anti-spam filters; therefore SPF_NEUTRAL spamassassin score is pretty high klieber, please state your contra-arguments.
(In reply to comment #14) > - ?all is used mostly by spammers in their quest to bypass anti-spam filters; > therefore SPF_NEUTRAL spamassassin score is pretty high > *sigh* I thought this was over. Anyway lemme contribute to this. This statement is either contradictory or wrong or I don't get it. You mean high score for *not* seeing a spf record or for matching a spf record, and in that case you mean that spamassassin marks a matching spf sender with ?all as spam? Anyway read the rest of my reply where I explain the situation. What you say is not true at all, or at least is very misleading: if a spammer publishes and validates against a spf record well good for us that we can track down it's original envelope sender, any filter that uses *just* that for validating the sender is dumb. But as you stated spamassassin might use that as a factor and *not* for the whole testing. And if you read spamassassin rules you will see tha a valid spf check has *minimal* effect, only *invalid* ones have a high scoring....of course neutral being neutral should not be treated like that. So there's no 'bypass' here. SPF high scoring is enforced only with -all *and* a negative match, positive impact is minimal (with both -all and ?all) and negative match of ?all is minimal as well.
(In reply to comment #14) > klieber, please state your contra-arguments. I've already stated my position. To refresh your memory, here it is again: I will simply state that my opinion differs from those expressed by some of the other people on this bug. While I appreciate that those folks might think a +all is better suited to our particular needs, again, I happen to disagree. I feel that the current solution has been in place for quite a while now and seems to work just fine. In other words, I'm not going to debate it any further.
And your argument is you disagreeing with me... In the meantime, messages sent by me on behalf of mrness@g.o reach my other mailbox having this header (yes, I know I don't have a message ID, I've just sent it using telnet): X-Spam-Status: No, score=2.943 tagged_above=2 required=6.31 tests=[AWL=0.480, BAYES_50=0.001, MSGID_FROM_MTA_ID=1.393, SPF_NEUTRAL=1.069]
Kurt, could you please "shed a light" as suggested by lcars in comment #3? I read the quote mentioned in comment #2 as "please don't use our mailserver, ever", which perhaps isn't the case now. Thanks.
(In reply to comment #18) > Kurt, could you please "shed a light" as suggested by lcars in comment #3? I > read the quote mentioned in comment #2 as "please don't use our mailserver, > ever", which perhaps isn't the case now. As Andrea mentioned, the documentation really refers to using our mailserver for non-gentoo.org mail. It's been acceptable for a long time now to use smtp.g.o, via authenticated SMTP, to send gentoo.org mail
(In reply to comment #19) > (In reply to comment #18) > > Kurt, could you please "shed a light" as suggested by lcars in comment #3? I > > read the quote mentioned in comment #2 as "please don't use our mailserver, > > ever", which perhaps isn't the case now. > > As Andrea mentioned, the documentation really refers to using our mailserver > for non-gentoo.org mail. It's been acceptable for a long time now to use > smtp.g.o, via authenticated SMTP, to send gentoo.org mail Out definitions of "clear" clearly differ :P Plus, this is kinda irrelevant anyway - as stated above, there are people who simply can't use it or prefer to not do so for various reasons.
Thanks for your clarification, Kurt.
