On 09/23/2009 05:00 PM, PatchLog wrote:
> I'm thinking about modifying this extension to use dktest and
> libdkimtest to do the verification of messages.
> Of course this means the extension will depend on the presence of those
> programs on user's machine but they can be compiled for most platforms
> and I think it's more efficient to have them downloaded once then having
> a verification service with all the maintenance and other problems that
> it could cause.
> Does anyone think this is a good/bad idea?

It is a great idea. It is how I would have implemented it if I knew how.
Good luck and keep me posted.

--
- Josh Tauberer

http://razor.occams.info

"Yields falsehood when preceded by its quotation!  Yields
falsehood when preceded by its quotation!" Achilles to
Tortoise (in "Godel, Escher, Bach" by Douglas Hofstadter)

I'm thinking about modifying this extension to use dktest and libdkimtest to do
the verification of messages.
Of course this means the extension will depend on the presence of those programs
on user's machine but they can be compiled for most platforms and I think it's
more efficient to have them downloaded once then having a verification service
with all the maintenance and other problems that it could cause.
Does anyone think this is a good/bad idea?

On 09/09/2009 12:07 PM, Tony Hansen wrote:
> Ok, I'll accept pointers on how to go about doing it. But I'll probably
> try recruiting some other people to do the actual work.

I like your style. :)

--
- Josh Tauberer

http://razor.occams.info

"Yields falsehood when preceded by its quotation!  Yields
falsehood when preceded by its quotation!" Achilles to
Tortoise (in "Godel, Escher, Bach" by Douglas Hofstadter)

Ok, I'll accept pointers on how to go about doing it. But I'll probably
try recruiting some other people to do the actual work.

	 Tony

Joshua Tauberer wrote:
> On 09/08/2009 07:35 AM, Tony Hansen wrote:
>> I would love to see this extension change to support both DKIM and
>> Authentication-Results headers. Yes, I think it is worth updating.
>> Support for both of those has grown tremendously, while support for SPF
>> has leveled off.
>>
>> I can help someone work on the code, but cannot be a primary source
>> provider.
>
> I think it is all up to you. :-P
>
> I can give pointers on how to go about it.
>

On 09/08/2009 07:35 AM, Tony Hansen wrote:
> I would love to see this extension change to support both DKIM and
> Authentication-Results headers. Yes, I think it is worth updating.
> Support for both of those has grown tremendously, while support for SPF
> has leveled off.
>
> I can help someone work on the code, but cannot be a primary source
> provider.

I think it is all up to you. :-P

I can give pointers on how to go about it.

--
- Josh Tauberer

http://razor.occams.info

"Yields falsehood when preceded by its quotation!  Yields
falsehood when preceded by its quotation!" Achilles to
Tortoise (in "Godel, Escher, Bach" by Douglas Hofstadter)

I would love to see this extension change to support both DKIM and
Authentication-Results headers. Yes, I think it is worth updating.
Support for both of those has grown tremendously, while support for SPF
has leveled off.

I can help someone work on the code, but cannot be a primary source
provider.

	 Tony Hansen
	 tony@...

Joshua Tauberer wrote:
> On 08/30/2009 09:21 AM, ythanb wrote:
>>  > This is a last call in case it's actually important to anyone. If you
>>  > want to help, you could:
>>  >
>>  > * Provide a new public 'query server' to do the server-side checks
>>
>> I've done just this. In case anyone is interested the address is
>> http://www.shroomery.org/dkverify/query.cgi
>> <http://www.shroomery.org/dkverify/query.cgi>
>
> Wow, that's great. Especially cool since you're responding to my email
> from two years ago.
>
> OTOH, I think many ISPs have moved on to DKIM rather than DomainKeys and
> that's not supported by the extension at all.
>
> Except... In order for me to post a TB3-compatible update to
> addons.mozilla.org, the code base has to be revised to conform to new
> guidelines (having to do with name clashes in the javascript). I've
> decided not to update the extension so I can spend my time on other
> projects. Do you want to take a shot at that too? :)

On 08/30/2009 09:21 AM, ythanb wrote:
>  > This is a last call in case it's actually important to anyone. If you
>  > want to help, you could:
>  >
>  > * Provide a new public 'query server' to do the server-side checks
>
> I've done just this. In case anyone is interested the address is
> http://www.shroomery.org/dkverify/query.cgi
> <http://www.shroomery.org/dkverify/query.cgi>

Wow, that's great. Especially cool since you're responding to my email
from two years ago.

OTOH, I think many ISPs have moved on to DKIM rather than DomainKeys and
that's not supported by the extension at all.

Except... In order for me to post a TB3-compatible update to
addons.mozilla.org, the code base has to be revised to conform to new
guidelines (having to do with name clashes in the javascript). I've
decided not to update the extension so I can spend my time on other
projects. Do you want to take a shot at that too? :)

--
- Josh Tauberer

http://razor.occams.info

"Yields falsehood when preceded by its quotation!  Yields
falsehood when preceded by its quotation!" Achilles to
Tortoise (in "Godel, Escher, Bach" by Douglas Hofstadter)

> This is a last call in case it's actually important to anyone. If you
> want to help, you could:
>
>    * Provide a new public 'query server' to do the server-side checks

I've done just this. In case anyone is interested the address is
http://www.shroomery.org/dkverify/query.cgi

t313c0mun1s7 wrote:
> I just installed the Sender Verification Extension for the first time,
> and I am looking at my inbox to see how it works. I have a question
> because I am not sure the behavior is correct. In at least two cases I
> see messages with a generic "SVE Verification Failed" message, and I
> know that the domains have SPF records because I am the host.

This is probably the known bug/limitation --- if your wife's outgoing
MTA is the same as your incoming MTA, it will report spurious failures.
There's nothing that can be done about it, though (as far as I or anyone
has figured out).

--
- Josh Tauberer

http://razor.occams.info

"Yields falsehood when preceded by its quotation!  Yields
falsehood when preceded by its quotation!" Achilles to
Tortoise (in "Godel, Escher, Bach" by Douglas Hofstadter)

I just installed the Sender Verification Extension for the first time, and I am looking at my inbox to see how it works. I have a question because I am not sure the behavior is correct. In at least two cases I see messages with a generic "SVE Verification Failed" message, and I know that the domains have SPF records because I am the host.

Case #1 My wife sent me an E-mail, the sending and receiving domains are the same.

From - Mon Nov 17 15:33:55 2008
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-path: <tammy@...>
Envelope-to: John@...
Delivery-date: Mon, 17 Nov 2008 16:33:09 -0600
Received: from [CENSORED FOR POST] by shelby.websitewelcome.com with local-bsmtp ([CENSORED FOR POST])
(envelope-from <tammy@...>)
id 1L2Cea-0002p1-T5
for John@...; Mon, 17 Nov 2008 16:33:09 -0600
X-Spam-Checker-Version: SpamAssassin 3.3.0-r613124 (2008-01-18) on
shelby.websitewelcome.com
X-Spam-Level: *
X-Spam-Status: No, score=1.4 required=5.0 tests=AWL,HTML_MESSAGE,RDNS_NONE,
SPF_SOFTFAIL shortcircuit=no autolearn=disabled version=3.3.0-r613124
Received: from [72.24.123.87] (port=1754 helo=freyr)
by shelby.websitewelcome.com with esmtp ([CENSORED FOR POST])
(envelope-from <tammy@...>)
id 1L2Cea-0002ov-Md
for John@...; Mon, 17 Nov 2008 16:33:08 -0600
From: "Tammery Reid" <tammy@...>
To: "'John C. Reid'" <John@...>
Subject: Chastain Law
Date: Mon, 17 Nov 2008 15:34:34 -0700
Message-ID: <000001c94904$aafd8cd0$1400a8c0@asgard>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0001_01C948C9.FE9EB4D0"
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AclJBKo3deUTkdHvQ4Oiayxs2O3Flw==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350

This is a multi-part message in MIME format.

------=_NextPart_000_0001_01C948C9.FE9EB4D0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

SPF:

keeptechworking.com. IN TXT 14400 "v=spf1 a mx include:websitewelcome.com ~all"

Case #2 Send to me by a client whose domain I host.

Header:

From - Tue Nov 18 08:57:17 2008
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-path: <mta@...>
Envelope-to: John@...
Delivery-date: Tue, 18 Nov 2008 09:56:56 -0600
Received: from t313c0mm by shelby.websitewelcome.com with local-bsmtp ([CENSORED FOR POST])
(envelope-from <mta@...>)
id 1L2Swi-0004Me-2B
for John@...; Tue, 18 Nov 2008 09:56:56 -0600
X-Spam-Checker-Version: SpamAssassin 3.3.0-r613124 (2008-01-18) on
shelby.websitewelcome.com
X-Spam-Level:
X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED,AWL
shortcircuit=no autolearn=disabled version=3.3.0-r613124
Received: from [208.187.37.147] (port=2700 helo=[172.16.1.128])
by shelby.websitewelcome.com with esmtpa ([CENSORED FOR POST])
(envelope-from <mta@...>)
id 1L2Swh-0004MQ-Uo
for John@...; Tue, 18 Nov 2008 09:56:56 -0600
Message-ID: <4922E5C8.9000808@...>
Date: Tue, 18 Nov 2008 08:56:56 -0700
From: Terry Ambruster <mta@...>
User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version: 1.0
To: "John C. Reid" <John@...>
Subject: Re: [CENSORED FOR POST]
References: <492243AC.7090807@...>
In-Reply-To: <492243AC.7090807@...>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

SPF:

chastainlaw.net. IN TXT 14400 "v=spf1 a mx include:websitewelcome.com ~all"

Should these not pass verification? Is the error on my end? Is it a bug? Do I not have SPF setup correctly? I really don't know as I have never used your plug-in before, and it is what alerted me to the possibility that something might be wrong with my SPF record. Thank you for your help.

Hi,

I actually started adding that feature a couple of years ago but didn't
end up activating it. I don't remember why.

It would be useful, but I am wary of it because it's hard to know when a
link looks like a URL and when it doesn't. Should "www.y.com" (without
the http:) be disallowed? And "y.com"? And "y. com"?

So I'm not sure.

--
- Josh Tauberer

http://razor.occams.info

"Yields falsehood when preceded by its quotation!  Yields
falsehood when preceded by its quotation!" Achilles to
Tortoise (in "Godel, Escher, Bach" by Douglas Hofstadter)


markem007 wrote:
>
>
> I did post in the Thunderbird area but saw that this group was here
> (and the message messed up after posting and I can't get the
> Thunderbird editor to allow me to make changes so....) :-)
>
> I thought that one addition that would be good would be to have the
> program check for <a href="X">Y</a> in the message's body.
> Checking only for the website and not anything that follows that.
> (Because sometimes they do say just "http://www.y.com
> <http://www.y.com>" in the body of
> a message. So:
>
> <a href="http://www.x.com/A/B?C
> <http://www.x.com/A/B?C>">http://www.x.com <http://www.x.com></a>
>
> would be ok but
>
> <a href="http://www.x.com/R/S/T/U/V
> <http://www.x.com/R/S/T/U/V>">http://www.y.com <http://www.y.com></a>
>
> would not be ok.
>
> I'm sure there are times when a company does "http://mysite.com
> <http://mysite.com>" or
> other different methods of saying their site name, but all this is -
> is a check and even a legitimate company who does the above should
> make someone suspicious of the intent of the company.
>
> And last, but not least, this is faster than having to poll an offsite
> location for information. So you would get immediate feedback about
> the message being suspicious and then, after that the regular poll for
> info could be done.
>
> Just a thought.
>
>

I did post in the Thunderbird area but saw that this group was here
(and the message messed up after posting and I can't get the
Thunderbird editor to allow me to make changes so....)  :-)

I thought that one addition that would be good would be to have the
program check for <a href="X">Y</a> in the message's body.
  Checking only for the website and not anything that follows that.
(Because sometimes they do say just "http://www.y.com" in the body of
a message.  So:

    <a href="http://www.x.com/A/B?C">http://www.x.com</a>

would be ok  but

    <a href="http://www.x.com/R/S/T/U/V">http://www.y.com</a>

would not be ok.

I'm sure there are times when a company does "http://mysite.com" or
other different methods of saying their site name, but all this is -
is a check and even a legitimate company who does the above should
make someone suspicious of the intent of the company.

And last, but not least, this is faster than having to poll an offsite
location for information.  So you would get immediate feedback about
the message being suspicious and then, after that the regular poll for
info could be done.

Just a thought.

Everything is working now.

TXT entry was incorrectly defined. It had redirect=_spf.google.com ~all.

Acording to the rules the "redirect" is never evaluated if exists a
"all"
(http://www.habeas.com/en-US/Support/Knowledge-Base/Sender-Authentication/What-i\
s-the-meaning-of-a-redirect-modifier-in-an-SPF-record/)

Changed the TXT to "include:_spf.google.com ~all" and everything is
working fine.

I have a domain cabritacale.eu hosted on Google, and I have set the
TXT type DNS register for that domain similar with GMail's.

Any email I send from my acount @gmail.com to a third domain passes
verification with SVE when read in Thunderbird.
"The sender was explicitly permited by <_spf.google.com> with SPF."

Any email I send from my account @cabritacale.eu to the same third
domain fails verification with SVE when read in Thunderbird. The SVE
message is:
"This does not appear to be a legitimate <cabritacale.eu> email."
"The sender was not permited by <cabritacale.eu> with SPF."

I analized the headers for both emails and they exit Google through
the same server: ug-out-1314.google.com ([66.249.92.171]).

If the origin server is the same and the TXT record is the same for
both domains why is it that one passes and the other fails?

Sorry for the delay in replying. My bad.

In fact, the add-in was, and is, working fine -- just required some
settings changes.

Cheers
Darren


--- In thunderbird-spf@yahoogroups.com, Joshua Tauberer <jt@...> wrote:
>
> Darren MacDonald wrote:
> > Installed SPF, but nothing being displayed in the expected area above
> > headers. Tried disabling a few extensions -- then tried disabling all,
> > as shown below -- with no luck.
> >
> > Any ideas? TIA!
>
> Hi,
>
> After disabling Thunderbird and restarting it, open up an email and
then
> go to Tools -> Error Console and let me know if there's anything there.
>
> --
> - Josh Tauberer
>
> http://razor.occams.info
>
> "Yields falsehood when preceded by its quotation!  Yields
> falsehood when preceded by its quotation!" Achilles to
> Tortoise (in "Gödel, Escher, Bach" by Douglas Hofstadter)
>

Darren MacDonald wrote:
> Installed SPF, but nothing being displayed in the expected area above
> headers. Tried disabling a few extensions -- then tried disabling all,
> as shown below -- with no luck.
>
> Any ideas? TIA!

Hi,

After disabling Thunderbird and restarting it, open up an email and then
go to Tools -> Error Console and let me know if there's anything there.

--
- Josh Tauberer

http://razor.occams.info

"Yields falsehood when preceded by its quotation!  Yields
falsehood when preceded by its quotation!" Achilles to
Tortoise (in "Gödel, Escher, Bach" by Douglas Hofstadter)

Greetings!

Installed SPF, but nothing being displayed in the expected area above
headers. Tried disabling a few extensions -- then tried disabling all,
as shown below -- with no luck.

Any ideas? TIA!



Generated: Thu Nov 01 2007 19:13:07 GMT-0500 (Eastern Standard Time)
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.1.6) Gecko/20070728 Thunderbird/2.0.0.6
Build ID: 2007072817

Enabled Extensions: [2]
- MR Tech Local Install 5.3.2.6:
http://www.mrtech.com/extensions/local_install/
- Sender Verification Extension 0.9.0.1: http://razor.occams.info/code/spf

Disabled Extensions: [21]
- Allow HTML temp 1.0.3:
http://www.thunderbird-mail.de/wiki/Allow_HTML_temp_(english)
- Buttons! 0.5.3.2: http://www.chuonthis.com/extensions/
- CallingID Link Advisor 1.0.0.37: http://www.callingid.com/
- Console˛ 0.3.8: http://console2.mozdev.org/index.html
- Delete Junk Context Menu 0.3.2.1: http://www.chuonthis.com/extensions/
- Display mail route 0.2.2:
http://www.cweiske.de/misc_extensions.htm#mailroute
- Display Mail User Agent Extension 1.3.2:
http://www.cweiske.de/misc_extensions.htm#dispMUA
- Display mailing list header 0.3.2:
http://www.cweiske.de/misc_extensions.htm#mailinglistheader
- DOM Inspector 1.8.1.2: http://www.mozilla.org/projects/inspector/
- FolderFlags 1.0:
http://ryanlee.org/software/mozilla/thunderbird/folderflags/
- header scroll extension 0.3.2:
http://www.cweiske.de/misc_extensions.htm#headerScroll
- Headers Toggle 0.5.2.2: http://soua.net/extensions/
- InspectorWidget 2.11.20070812: http://www.projectit.com/
- MinimizeToTray 0.0.1.2006102615+: http://minimizetotray.mozdev.org/
- Remove Duplicate Messages 0.1.02: http://www.tws-home.de
- Spamato4Thunderbird 0.99.1.4: http://www.spamato.net/
- Talkback 2.0.0.6: http://talkback.mozilla.org/
- WebMail 1.2.5: http://webmail.mozdev.org
- WebMail - GMail 0.5.9: http://webmail.mozdev.org
- WebMail - Hotmail 1.2.10: http://webmail.mozdev.org
- WebMail - Yahoo 1.3.0: http://webmail.mozdev.org

Total Extensions: 23

Installed Themes: [1]
- Thunderbird (default): http://www.mozilla.org/

John L. Galt wrote:
>  > But, yes, there will be an option. There is an existing option to turn
>  > off the DNSRBL checks, and that option will be co-opted to turn on and
>  > off all of the white list checks too.
  >
> Would it be more advantageous to include 'separate' options for each
> of these, allow the end user more flexibility on which checks they
> would prefer to include?
>
> Or would that be more of a logistic nightmare than you want?

I wouldn't say a nightmare, but more options is more annoying to
program, and more difficult for the user to process (esp. if the options
window has to explain what a DNS blacklist is and a DNS whitelist is).
They group into a natural class to me, all of the blacklists/whitelists.

--
- Josh Tauberer

http://razor.occams.info

"Yields falsehood when preceded by its quotation!  Yields
falsehood when preceded by its quotation!" Achilles to
Tortoise (in "Gödel, Escher, Bach" by Douglas Hofstadter)

--- In thunderbird-spf@yahoogroups.com, Joshua Tauberer <jt@...> wrote:
>
> invisibilldotnet wrote:
> >  > Okay, great, thanks for the info. I think I'm going to include
that and
> >  > dnswl.org in the next update. For dnswl.org, when they report
high or
> >  > medium trust level (and when SPF also passes), the extension
will say
> >  > "High Trust" or "Medium Trust". I'm not sure what message to
use for
> >  > Sender Score Certified. "Medium Trust"?
> >
> > I personally vote against this. I use this extension simply because
> > all it does is SPF checking. If you want to turn it into a full-blown
> > anti-spam solution, go ahead and add DNSWLs, and you might as well
> > throw in DNSBLs too.
>
> DNSBLs have been in the extension for a while now!
>
> But, the goal of the extension is to provide a tool against phishing
> (not a mere SPF checker), and while SPF gives you authentication, it
> doesn't tell you whether the sender is trustworthy. I'm not adding
these
> because they help identify spam, but rather because they help identify
> domains sending SPF-passing mail that are nevertheless malicious
(domain
> look-alikes, for instance). Whether white lists are actually helpful at
> this is yet to be seen, but judging from the blacklists (SURBL and
> Spamhaus), I expect it'll have *some* value.
>
> As for whether DNSWLs are going to become vindictive and arbitrary ---
> at that point, I can take them out of the extension. That's why I asked
> the list about SSC. Until then, so long as they're useful for
> identifying phishing, I think it's a plus to include.
>
> But, yes, there will be an option. There is an existing option to turn
> off the DNSRBL checks, and that option will be co-opted to turn on and
> off all of the white list checks too.
>
> --
> - Josh Tauberer
>
> http://razor.occams.info
>
> "Yields falsehood when preceded by its quotation!  Yields
> falsehood when preceded by its quotation!" Achilles to
> Tortoise (in "Gödel, Escher, Bach" by Douglas Hofstadter)
>
Would it be more advantageous to include 'separate' options for each
of these, allow the end user more flexibility on which checks they
would prefer to include?

Or would that be more of a logistic nightmare than you want?

Yahoo! does not do SPF.  They also don't do DKIM yet.  If you go to DKIM you
need to be careful because not everyone (google/gmail for example) has
upgraded to use the final version yet.

Scott K


On Tuesday 14 August 2007 17:09, Dave Brondsema wrote:
> I get many emails from yahoo that pass DKIM and do not have SPF records
> (I don't think.. this according to the spamassassin rule hits for the
> email).  In fact, it is true of this very email via yahoogroups.com
>
> I would be interested in continuing support of it.  Reimplementing for
> DKIM instead of DK would be nice, but obviously more work.  I will see
> if I can get another query server running.. no promises :)  I'll
> double-check SPF on yahoo emails too.
>
> Joshua Tauberer wrote:
> > I'm thinking of dropping support for DomainKeys from the extension
> > because 1) I'm having a non-trivial time installing the needed Perl
> > modules on my new web server to do the server-side half of it, and 2)
> > I'm not so interested anymore in providing a DK-checking server for
> > users of the extension (which existed since programming those checks
> > within the extension was difficult to program) since it uses up server
> > resources (that not much, but enough to notice).
> >
> > In my personal experience, very few mails fail SPF checks and have a DK
> > header. So I won't miss it, although I thought it was neat to have.
> >
> > This is a last call in case it's actually important to anyone. If you
> > want to help, you could:
> >
> >    * Provide a new public 'query server' to do the server-side checks
> >    * Implement the checks in native code within the extension to
> >       avoid the need for a query server
> >    * And optionally reimplement these things to conform to the new
> >      DKIM spec that replaces DK.

I get many emails from yahoo that pass DKIM and do not have SPF records
(I don't think.. this according to the spamassassin rule hits for the
email).  In fact, it is true of this very email via yahoogroups.com

I would be interested in continuing support of it.  Reimplementing for
DKIM instead of DK would be nice, but obviously more work.  I will see
if I can get another query server running.. no promises :)  I'll
double-check SPF on yahoo emails too.

Joshua Tauberer wrote:
> I'm thinking of dropping support for DomainKeys from the extension
> because 1) I'm having a non-trivial time installing the needed Perl
> modules on my new web server to do the server-side half of it, and 2)
> I'm not so interested anymore in providing a DK-checking server for
> users of the extension (which existed since programming those checks
> within the extension was difficult to program) since it uses up server
> resources (that not much, but enough to notice).
>
> In my personal experience, very few mails fail SPF checks and have a DK
> header. So I won't miss it, although I thought it was neat to have.
>
> This is a last call in case it's actually important to anyone. If you
> want to help, you could:
>
>    * Provide a new public 'query server' to do the server-side checks
>    * Implement the checks in native code within the extension to
>       avoid the need for a query server
>    * And optionally reimplement these things to conform to the new
>      DKIM spec that replaces DK.
>


--
Dave Brondsema
Software Developer
Cornerstone University

I'm thinking of dropping support for DomainKeys from the extension
because 1) I'm having a non-trivial time installing the needed Perl
modules on my new web server to do the server-side half of it, and 2)
I'm not so interested anymore in providing a DK-checking server for
users of the extension (which existed since programming those checks
within the extension was difficult to program) since it uses up server
resources (that not much, but enough to notice).

In my personal experience, very few mails fail SPF checks and have a DK
header. So I won't miss it, although I thought it was neat to have.

This is a last call in case it's actually important to anyone. If you
want to help, you could:

    * Provide a new public 'query server' to do the server-side checks
    * Implement the checks in native code within the extension to
       avoid the need for a query server
    * And optionally reimplement these things to conform to the new
      DKIM spec that replaces DK.

--
- Josh Tauberer

http://razor.occams.info

"Yields falsehood when preceded by its quotation!  Yields
falsehood when preceded by its quotation!" Achilles to
Tortoise (in "Gödel, Escher, Bach" by Douglas Hofstadter)

invisibilldotnet wrote:
>  > Okay, great, thanks for the info. I think I'm going to include that and
>  > dnswl.org in the next update. For dnswl.org, when they report high or
>  > medium trust level (and when SPF also passes), the extension will say
>  > "High Trust" or "Medium Trust". I'm not sure what message to use for
>  > Sender Score Certified. "Medium Trust"?
>
> I personally vote against this. I use this extension simply because
> all it does is SPF checking. If you want to turn it into a full-blown
> anti-spam solution, go ahead and add DNSWLs, and you might as well
> throw in DNSBLs too.

DNSBLs have been in the extension for a while now!

But, the goal of the extension is to provide a tool against phishing
(not a mere SPF checker), and while SPF gives you authentication, it
doesn't tell you whether the sender is trustworthy. I'm not adding these
because they help identify spam, but rather because they help identify
domains sending SPF-passing mail that are nevertheless malicious (domain
look-alikes, for instance). Whether white lists are actually helpful at
this is yet to be seen, but judging from the blacklists (SURBL and
Spamhaus), I expect it'll have *some* value.

As for whether DNSWLs are going to become vindictive and arbitrary ---
at that point, I can take them out of the extension. That's why I asked
the list about SSC. Until then, so long as they're useful for
identifying phishing, I think it's a plus to include.

But, yes, there will be an option. There is an existing option to turn
off the DNSRBL checks, and that option will be co-opted to turn on and
off all of the white list checks too.

--
- Josh Tauberer

http://razor.occams.info

"Yields falsehood when preceded by its quotation!  Yields
falsehood when preceded by its quotation!" Achilles to
Tortoise (in "Gödel, Escher, Bach" by Douglas Hofstadter)

--- In thunderbird-spf@yahoogroups.com, Joshua Tauberer <jt@...> wrote:
>
> Okay, great, thanks for the info. I think I'm going to include that and
> dnswl.org in the next update. For dnswl.org, when they report high or
> medium trust level (and when SPF also passes), the extension will say
> "High Trust" or "Medium Trust". I'm not sure what message to use for
> Sender Score Certified. "Medium Trust"?

I personally vote against this.  I use this extension simply because
all it does is SPF checking.  If you want to turn it into a full-blown
anti-spam solution, go ahead and add DNSWLs, and you might as well
throw in DNSBLs too.

These DNSWLs are no different from all the DNSBLs out there.  You're
still relying on a third party to determine what email is good or bad.
  SPF simply tells you if the sender of an email matches its domain,
while these DNS_Ls separate email (based on the source) into good and
bad, based on their own criteria.  These seem like good, professional
companies making qualified decisions, but you're still trusting them
that much.  Maybe they'll turn into the vindictive jerks that are
common with DNSBLs.  Maybe they'll turn into the blackmailing bully,
holding large sites' emails hostage unless they pay the fee.

If you do add this in, please also add an option to disable the feature.

Matthew Elvey wrote:
> On 8/10/07 2:44 PM, Joshua Tauberer wrote:
>> --- In thunderbird-spf@yahoogroups.com, Matthew Elvey <matthew@...> wrote:
>>
>>> On 8/10/07 8:14 AM, Joshua Tauberer wrote:
>>>
>>>> Does anyone know about the DNS whitelist Sender Score Certified?
>>>>
>>>> http://www.bondedsender.org/senderscorecertified/
>>>>
>>>>
>>>>
>>> Sender Score Certified, formerly known as Bonded Sender - it's been
>>> around for ages.
>>> http://en.wikipedia.org/wiki/Whitelist
>>>
>> So what I really meant was, do you think it is worth using in the
>> extension to report some trust information about the domain?
  >
> Summary: I do.
>
> Detail:
> Bonded Sender is used by high volume senders that at a minimum, respect
> unsubscribes and don't hide who they are.

Okay, great, thanks for the info. I think I'm going to include that and
dnswl.org in the next update. For dnswl.org, when they report high or
medium trust level (and when SPF also passes), the extension will say
"High Trust" or "Medium Trust". I'm not sure what message to use for
Sender Score Certified. "Medium Trust"?

--
- Josh Tauberer

http://razor.occams.info

"Yields falsehood when preceded by its quotation!  Yields
falsehood when preceded by its quotation!" Achilles to
Tortoise (in "Gödel, Escher, Bach" by Douglas Hofstadter)

--- In thunderbird-spf@yahoogroups.com, "John L. Galt" <johnlgalt@...>
wrote:
>
> --- In thunderbird-spf@yahoogroups.com, Joshua Tauberer <jt@> wrote:
> >
> > John L. Galt wrote:
> > > But, now, I have a new problem. Same router, same computer, but new
> > > hardware
> >
> > Don't bang your head about it --- it's a problem on my end. I'm in
the
> > process of moving to a new web server, and occams.info points to the
> new
> > server, but it's not running DNS on port 9053 yet. You could use
> > instead:  govtrack.us:9053
>
> Will do.  Thanks for the info!  BTW, nice work on the govtrack site!

Thanks!

> Also, is the govtrack.us going
> ot be permanent?  If not, other than monitoring this group discussion,
> when will we know when ot change it back to occams.info?  When (I
> assume) the govtrack stops working?

If it stops working, email the list again because it means I forgot to
set it up properly on the new server before govtrack.us shifts over to
the new server too. (So, it's permanent in the sense that it should
continue to work, but the old address will start working again once I
fix that some time this month.)

- Josh

--- In thunderbird-spf@yahoogroups.com, Matthew Elvey <matthew@...> wrote:
>
> On 8/10/07 8:14 AM, Joshua Tauberer wrote:
> > Does anyone know about the DNS whitelist Sender Score Certified?
> >
> > http://www.bondedsender.org/senderscorecertified/
> >
> >
> Sender Score Certified, formerly known as Bonded Sender - it's been
> around for ages.
> http://en.wikipedia.org/wiki/Whitelist

So what I really meant was, do you think it is worth using in the
extension to report some trust information about the domain? (I have
in mind the extension helping to distinguish, e.g., paypal.com from
paypai.com, where in both cases the email passed SPF.)

- Josh

govtrack.us:9053 works like a champ (after the required restart of Tb).

Thanks again!

On 8/10/07 8:14 AM, Joshua Tauberer wrote:
> Does anyone know about the DNS whitelist Sender Score Certified?
>
> http://www.bondedsender.org/senderscorecertified/
>
>
Sender Score Certified, formerly known as Bonded Sender - it's been
around for ages.
http://en.wikipedia.org/wiki/Whitelist

--- In thunderbird-spf@yahoogroups.com, Joshua Tauberer <jt@...> wrote:
>
> John L. Galt wrote:
> > But, now, I have a new problem. Same router, same computer, but new
> > hardware
>
> Don't bang your head about it --- it's a problem on my end. I'm in the
> process of moving to a new web server, and occams.info points to the
new
> server, but it's not running DNS on port 9053 yet. You could use
> instead:  govtrack.us:9053

Will do.  Thanks for the info!  BTW, nice work on the govtrack site!

>
> > Since it worked before, and since the router itself has not changed at
> > all, could this possibly be a problem related to Windows Live OneCare
> > and it's native firewall? If so, is there a way to configure a FW in
> > general that allows a pass-through on port 9053? Would I configure
> > this to be open for Tb, or is there a separate executable I need
to allow?
>
> I hope the problem *is* on my end because I have no idea about any
of that.
>

I'll post back here and let you know.  Also, is the govtrack.us going
ot be permanent?  If not, other than monitoring this group discussion,
when will we know when ot change it back to occams.info?  When (I
assume) the govtrack stops working?

> --
> - Josh Tauberer
>
> http://razor.occams.info
>
> "Yields falsehood when preceded by its quotation!  Yields
> falsehood when preceded by its quotation!" Achilles to
> Tortoise (in "Gödel, Escher, Bach" by Douglas Hofstadter)
>