From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from phicode.de ([136.243.147.240]) by ur; Sat Feb 11 14:42:37 EST 2017
Comment: DomainKeys? See http://domainkeys.sourceforge.net/
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=default; d=phicode.de;
  b=j6YDy4iHLNA/zkj5Sazd9XKTi3GYpIsjQC7n4iUeqGXJhMvQCcSP5fklat6BAiIAejl7YJqX8sQORJENXGcN8yI8ioHajgK2j2vWhpA/3ynQ8TtPeKPV9dl/PiMkAyIDYPky+KygWtIszfxN0WgoYU47mc+/pMNBJX+cCI8UXBA=;
  h=Received:Received:Date:From:X-X-Sender:To:Subject:In-Reply-To:Message-ID:References:User-Agent:MIME-Version:Content-Type;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=phicode.de; h=date:from:to
	:subject:in-reply-to:message-id:references:mime-version
	:content-type; s=default; bh=6TwMxWl2GmPrRji7fY/XaVrwwTg=; b=vtS
	0TFK64+R+6/G/EsAshvXr0hU8i66NlukREUpSJAO0jxQIFt+TuCsMojyF+ALLhzS
	iJhGnOshb1fcvshWn9BPi0s7Ol7YMp3WROOa1wig7fqiyOvln6rhOQkYevjGG8/B
	q90SE5vDJuAYMB50yoW8O5QsKyv7hvmyW6XiG53g=
Received: (qmail 31122 invoked from network); 11 Feb 2017 19:42:35 -0000
Received: from localhost (127.0.0.1)
  by localhost with SMTP; 11 Feb 2017 19:42:35 -0000
Date: Sat, 11 Feb 2017 20:42:34 +0100 (CET)
From: Julius Schmidt <aiju@phicode.de>
X-X-Sender: aiju@phi
To: 9front@9front.org
Subject: Re: [9front] nupas spf checker: outdated ip bans
In-Reply-To: <alpine.LNX.2.00.1702112021000.4258@phi>
Message-ID: <alpine.LNX.2.00.1702112034500.4258@phi>
References: <alpine.LNX.2.00.1702112021000.4258@phi>
User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: encrypted storage TOR over ACPI app core-based optimizer 

on second thought, the whole cidrokay() check should go away, i.e. i 
propose we replace cidrokay() with "return 1;"

from what i can tell it does the following

- disallow any email from the ranges

0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8
10.0.0.0/8 127.0.0.0/8 255.0.0.0/8 192.168.0.0/16 169.254.0.0/16 
172.16.0.0/20 224.0.0.0/24 
fc00::/7

[1 2 and 5 are no longer reserved and should definitely be removed from 
the list. arguments can also be made that link-local addresses shouldn't 
be banned either, leaving just 0.0.0.0/8]

- disallow any ip range specified as "a.b.c.d/x" (or ipv6 equivalent) 
where x is less than 14 or more than 128
- the length check is bypassed for e-mail from 17.0.0.0/8 (apple) [god 
knows why]

this is all massively pointless because modern-day spammers are savvy 
enough to send e-mail that passes spf verification.
the only remaining point of spf is to protect against e-mails with a 
forged sender, which only makes sense if the sender is smart enough to put 
in a spf record that makes sense.
so if the admin wants to put in that e-mail is allowed from 0.0.0.0/0, 
fucking let him.

aiju


On Sat, 11 Feb 2017, Julius Schmidt wrote:

> nupas spf checker has a ban on certain ip ranges that seem out of date.
> in particular 5.0.0.0/8 is incorrectly banned, presumably others are invalid, 
> too.
>