Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - SPF blocking question
  FAQ FAQ  Forum Search   Register Register  Login Login

SPF blocking question
 Post Reply Post Reply
Author
  Topic Search Topic Search  Topic Options Topic Options
Hillard View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Hillard Quote  Post ReplyReply Direct Link To This Post Topic: SPF blocking question
    Posted: 23 July 2004 at 10:07am

Hello,

I am running the new version with SPF.  It is working well and blocking things already.  One problem I have is that some of our email customers have a connection other then ours and their ISP has blocked the SMTP port so the user has to setup their email to go through that ISPs email server.  The system sees them with our address and sees it coming from the other ISPs email sever and SPF of course blocks it.  For now I have put these people in the "Excluded FROM emails" list so their email will get through for now.

What would be the proper way to handle these kind of cases?

Hillard

 
Back to Top
Hillard View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Hillard Quote  Post ReplyReply Direct Link To This Post Posted: 23 July 2004 at 10:29am

From looking at the spf.pobox.com site I see I can put a ?all in the DNS string instead of the -all to solve the problem; however, not sure I like that method.  Or is that the only good way to allow these messages that go through another ISPs email server that are really my email clients?

Hillard

 
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 23 July 2004 at 1:38pm

Hillard,

This is actually the single biggest problem with SPF.  AND, we all seem to have our own opinions as to the solution. 

1. For our customers that use outside connections and have static IP's, I have managed to get their ISP's to put RDNS on the IP such that I can add the ptr: directive into their SPS record.

2.For our customers that have DHCP IP's, they usually do not change often if they do not reboot their cable or dsl modem / routers so I allow them to relay through us with an allowed IP

3. For our customers that dialup through another service, FOR NOW, I am having them use our WebMail to send out.

4.  I have been kicking ideas around with Roberto on how to authenticate but this will take time because we all have so many different pop servers and some of those do not support SMTP-AUTH

This is going to cotinue to be a hassle for some time but one that I feel is worth it after seeing how well it is working.

Dan S.
Back to Top
JimMeredith View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote JimMeredith Quote  Post ReplyReply Direct Link To This Post Posted: 23 July 2004 at 2:06pm

Hillard,

The "?all" directive is a way to get around this issue, but it also completely defeats the purpose of SPF.  It may be better to have no SPF record at all rather than use the "?all" directive, because "?all" will always result in a "pass" response.  This might cause some receiving mail systems (not SpamFilter, but others) to place a greater degree of trust in this message, and bypass other spam checks that they would otherwise be running if an SPF "pass" response had not been received.

I am facing a situation that is similar to yours, and have chosen to NOT publish SPF records for our domains for the time-being.  We're an ASP that provides email services to our clients, and our clients utilize Internet services from dozens of ISPs across Canada and the U.S.  More than a few of these ISPs have decided to block all SMTP traffic except for traffic directed to their own SMTP server, thinking that it will help them to fight spam originating on their network.  We have to change the email configuration for our clients to use the ISPs SMTP server for outbound mail.

There are workarounds, but none of them are easy to implement (SASL, configuring all of your clients to use a port other than 25 for SMTP, etc.).  For now, I'm taking the approach of contacting ISPs and asking them to un-block port 25 for our servers.  According to the report issued by the Anti Spam Technical Aliance http://docs.yahoo.com/docs/pr/pdf/asta_soi.pdf

"For many consumer-oriented ISPs, the simplest solution to stop e-mail worms and spam from their network is to block outbound port 25 traffic. However, blocking port 25 can be problematic for customers who need to run their own mail server or communicate with a mail server on a remote network to submit e-mail (such as a web hosting company or a hosted domain’s mail server).... an ISP should develop a capability to identify customers who have a legitimate need to run a mail server, and then not block port 25 connectivity for these customers..."

The funny thing is, the ISPs who have signed-on to this document are among the WORST when it comes to this indiscriminate blocking of port 25.  I still haven't found anyone at MSN who will open up port 25 traffic bound to our mail servers.  Fortunately, we do have some influence over our customers ISP choices, so unless MSN and others start to "practice what they preach," there might be a bunch of MSN accounts being cancelled in the near future.

Jim
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.203 seconds.

Copyright (c)2002-2025 LogSat Software LLC - Sales: sales@LogSat.com
Contact Us