nupas spf checker: outdated ip bans

nupas spf checker: outdated ip bans

[Julius Schmidt]

nupas spf checker has a ban on certain ip ranges that seem out of date.
in particular 5.0.0.0/8 is incorrectly banned, presumably others are 
invalid, too.

Re: [9front] nupas spf checker: outdated ip bans

[Julius Schmidt]

on second thought, the whole cidrokay() check should go away, i.e. i 
propose we replace cidrokay() with "return 1;"

from what i can tell it does the following

- disallow any email from the ranges

0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8
10.0.0.0/8 127.0.0.0/8 255.0.0.0/8 192.168.0.0/16 169.254.0.0/16 
172.16.0.0/20 224.0.0.0/24 
fc00::/7

[1 2 and 5 are no longer reserved and should definitely be removed from 
the list. arguments can also be made that link-local addresses shouldn't 
be banned either, leaving just 0.0.0.0/8]

- disallow any ip range specified as "a.b.c.d/x" (or ipv6 equivalent) 
where x is less than 14 or more than 128
- the length check is bypassed for e-mail from 17.0.0.0/8 (apple) [god 
knows why]

this is all massively pointless because modern-day spammers are savvy 
enough to send e-mail that passes spf verification.
the only remaining point of spf is to protect against e-mails with a 
forged sender, which only makes sense if the sender is smart enough to put 
in a spf record that makes sense.
so if the admin wants to put in that e-mail is allowed from 0.0.0.0/0, 
fucking let him.

aiju


On Sat, 11 Feb 2017, Julius Schmidt wrote:

> nupas spf checker has a ban on certain ip ranges that seem out of date.
> in particular 5.0.0.0/8 is incorrectly banned, presumably others are invalid, 
> too.
>

Re: [9front] nupas spf checker: outdated ip bans

[Kurt H Maier]

On Sat, Feb 11, 2017 at 08:42:34PM +0100, Julius Schmidt wrote:
> on second thought, the whole cidrokay() check should go away, i.e. i 
> propose we replace cidrokay() with "return 1;"

I support this.

> - disallow any email from the ranges

Among other things, why is the SPF checker screwing around with IP
ranges to start with?   I am assuming it was just a convenient place to
put these tests, but regardless, the tests are dated and arguably
useless anyway.

khm

Re: [9front] nupas spf checker: outdated ip bans

[Steve Simon]

hi,

i agree SPF is (sadly) no longer much use.

i still run a plan 9 mail server. my main source of spam is French virtual hosts which appear in distinct up blocks. i use ratfs(1) to block cidr ranges to keep them at bay.

i also added code to ratfs to add a reverse ip address database. this supports regex so i can easily block reverse address ranges - i use tho block mail from dialup and adsl addresses.

code available to the interested.

-Steve


> On 11 Feb 2017, at 21:23, Kurt H Maier <khm@sciops.net> wrote:
> 
>> On Sat, Feb 11, 2017 at 08:42:34PM +0100, Julius Schmidt wrote:
>> on second thought, the whole cidrokay() check should go away, i.e. i 
>> propose we replace cidrokay() with "return 1;"
> 
> I support this.
> 
>> - disallow any email from the ranges
> 
> Among other things, why is the SPF checker screwing around with IP
> ranges to start with?   I am assuming it was just a convenient place to
> put these tests, but regardless, the tests are dated and arguably
> useless anyway.
> 
> khm

Re: [9front] nupas spf checker: outdated ip bans

[sl]

Which version of nupas does this refer to?

sl

Re: [9front] nupas spf checker: outdated ip bans

[Kurt H Maier]

On Sun, Feb 12, 2017 at 02:44:32PM -0500, sl@stanleylieber.com wrote:
> Which version of nupas does this refer to?
> 
> sl

in http://plan9.stanleylieber.com/src/nupas.tgz

nupas/spf/spf.c:150