* nupas spf checker: outdated ip bans
@ 2017-02-11 19:21 Julius Schmidt
2017-02-11 19:42 ` [9front] " Julius Schmidt
0 siblings, 1 reply; 6+ messages in thread
From: Julius Schmidt @ 2017-02-11 19:21 UTC (permalink / raw)
To: 9front
nupas spf checker has a ban on certain ip ranges that seem out of date.
in particular 5.0.0.0/8 is incorrectly banned, presumably others are
invalid, too.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [9front] nupas spf checker: outdated ip bans
2017-02-11 19:21 nupas spf checker: outdated ip bans Julius Schmidt
@ 2017-02-11 19:42 ` Julius Schmidt
2017-02-11 21:23 ` Kurt H Maier
2017-02-12 19:44 ` sl
0 siblings, 2 replies; 6+ messages in thread
From: Julius Schmidt @ 2017-02-11 19:42 UTC (permalink / raw)
To: 9front
on second thought, the whole cidrokay() check should go away, i.e. i
propose we replace cidrokay() with "return 1;"
from what i can tell it does the following
- disallow any email from the ranges
0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8
10.0.0.0/8 127.0.0.0/8 255.0.0.0/8 192.168.0.0/16 169.254.0.0/16
172.16.0.0/20 224.0.0.0/24
fc00::/7
[1 2 and 5 are no longer reserved and should definitely be removed from
the list. arguments can also be made that link-local addresses shouldn't
be banned either, leaving just 0.0.0.0/8]
- disallow any ip range specified as "a.b.c.d/x" (or ipv6 equivalent)
where x is less than 14 or more than 128
- the length check is bypassed for e-mail from 17.0.0.0/8 (apple) [god
knows why]
this is all massively pointless because modern-day spammers are savvy
enough to send e-mail that passes spf verification.
the only remaining point of spf is to protect against e-mails with a
forged sender, which only makes sense if the sender is smart enough to put
in a spf record that makes sense.
so if the admin wants to put in that e-mail is allowed from 0.0.0.0/0,
fucking let him.
aiju
On Sat, 11 Feb 2017, Julius Schmidt wrote:
> nupas spf checker has a ban on certain ip ranges that seem out of date.
> in particular 5.0.0.0/8 is incorrectly banned, presumably others are invalid,
> too.
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [9front] nupas spf checker: outdated ip bans
2017-02-11 19:42 ` [9front] " Julius Schmidt
@ 2017-02-11 21:23 ` Kurt H Maier
2017-02-11 22:34 ` Steve Simon
2017-02-12 19:44 ` sl
1 sibling, 1 reply; 6+ messages in thread
From: Kurt H Maier @ 2017-02-11 21:23 UTC (permalink / raw)
To: 9front
On Sat, Feb 11, 2017 at 08:42:34PM +0100, Julius Schmidt wrote:
> on second thought, the whole cidrokay() check should go away, i.e. i
> propose we replace cidrokay() with "return 1;"
I support this.
> - disallow any email from the ranges
Among other things, why is the SPF checker screwing around with IP
ranges to start with? I am assuming it was just a convenient place to
put these tests, but regardless, the tests are dated and arguably
useless anyway.
khm
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [9front] nupas spf checker: outdated ip bans
2017-02-11 21:23 ` Kurt H Maier
@ 2017-02-11 22:34 ` Steve Simon
0 siblings, 0 replies; 6+ messages in thread
From: Steve Simon @ 2017-02-11 22:34 UTC (permalink / raw)
To: 9front
hi,
i agree SPF is (sadly) no longer much use.
i still run a plan 9 mail server. my main source of spam is French virtual hosts which appear in distinct up blocks. i use ratfs(1) to block cidr ranges to keep them at bay.
i also added code to ratfs to add a reverse ip address database. this supports regex so i can easily block reverse address ranges - i use tho block mail from dialup and adsl addresses.
code available to the interested.
-Steve
> On 11 Feb 2017, at 21:23, Kurt H Maier <khm@sciops.net> wrote:
>
>> On Sat, Feb 11, 2017 at 08:42:34PM +0100, Julius Schmidt wrote:
>> on second thought, the whole cidrokay() check should go away, i.e. i
>> propose we replace cidrokay() with "return 1;"
>
> I support this.
>
>> - disallow any email from the ranges
>
> Among other things, why is the SPF checker screwing around with IP
> ranges to start with? I am assuming it was just a convenient place to
> put these tests, but regardless, the tests are dated and arguably
> useless anyway.
>
> khm
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [9front] nupas spf checker: outdated ip bans
2017-02-11 19:42 ` [9front] " Julius Schmidt
2017-02-11 21:23 ` Kurt H Maier
@ 2017-02-12 19:44 ` sl
2017-02-12 20:27 ` Kurt H Maier
1 sibling, 1 reply; 6+ messages in thread
From: sl @ 2017-02-12 19:44 UTC (permalink / raw)
To: 9front
Which version of nupas does this refer to?
sl
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [9front] nupas spf checker: outdated ip bans
2017-02-12 19:44 ` sl
@ 2017-02-12 20:27 ` Kurt H Maier
0 siblings, 0 replies; 6+ messages in thread
From: Kurt H Maier @ 2017-02-12 20:27 UTC (permalink / raw)
To: 9front
On Sun, Feb 12, 2017 at 02:44:32PM -0500, sl@stanleylieber.com wrote:
> Which version of nupas does this refer to?
>
> sl
in http://plan9.stanleylieber.com/src/nupas.tgz
nupas/spf/spf.c:150
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-02-12 20:27 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-02-11 19:21 nupas spf checker: outdated ip bans Julius Schmidt
2017-02-11 19:42 ` [9front] " Julius Schmidt
2017-02-11 21:23 ` Kurt H Maier
2017-02-11 22:34 ` Steve Simon
2017-02-12 19:44 ` sl
2017-02-12 20:27 ` Kurt H Maier
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).