On 27/10/15 05:40, Jutta Zalud wrote:
But it is originating all from different IP addresses. Who knows if this is an attack to get *@jdlabs.fr blocked from NANOG and is just getting its goal accomplished.
This is the part that's been bugging me. Doesn't the NANOG server implement SPF checking on inbound list mail? jdlabs.fr doesn't appear to have an SPF record published. It seems to me that these messages should have been dropped during the connection.
Well... an empty record is pretty much the same as "?all" anyway. The correct interpretation from the receiving MTA is "The SPF (if it exists) doesn't say if this is spam or not". This could, of course, vary from implementation to implementation.
If it does (which I don't know), it will probably check the SPF record of the delivering mailserver, which was not *.jdlabs.fr as far as I can see from the mailheaders.
And also, most of the MX records end in ~all or ?all anyway, and ?all is the default if no "all" is defined, and the lack of jdlabs.fr SPF record is the equivalent of being defined as "?all". I now wonder if there is *really* a case for the ~ and ? operators in SPF and if we could deprecate ?all and ~all, and change the default to -all, by RFC. This would be just to make SPF useful. In its current state it asserts nothing, and --by its definition-- it forces no work from anybody. Best regards.