Heho, Thank you all for your feedback, and especially to Simon for pointing out the issue in February. This should, of course, not happen, and is part of the reason why we are moving this to strict opt-in measurements. I discussed your points with the project lead (Taejoong “tijay” Chung <ti...@vt.edu>), who asked me to share his message below with the list.
With best regards, Tobias Dear Simon Arlott and community members, This is Tijay Chung (Virginia Tech), who is the principal investigator in this project. Since my list registration request has not been processed yet, I've asked my colleague, Tobias–who joined the team for this project as a collaborator in June-to share this post. First of all, I would like to thank you all for your feedback. We certainly did not apply proper care in executing this project, and will make sure that our future actions are not as intrusive as our past measurements. Furthermore, we do agree that the RFC should be amended; After all, part of our research question is finding out what a reasonable limit and recommendation would be. Also, I want to sincerely apologize for the incident that happened in February. Back then, we sent out emails for randomly chosen domains with the description of who we are and why we are doing this, and the link for the webpage for further details (the email that Simon attached; And we–by now–understood that this is not the right way of measuring such an issue.). In the excitement of kicking of this project, we missed a flaw in our implementation. We had planned to limit the number of maximum SPF queries to around 300, but our implementation of the algorithm that generates SPF recursion trees kept creating more nodes. Thankfully, some email administrators reported this flaw. As soon as we received the reports, we immediately shut it down and applied a patch ensuring we only serve 300 SPF records per mail at most. We now understand that we should have applied more care in setting up our measurement infrastructure, and should have followed a voluntary participation approach properly informing participants about the risks of the experiments as we now try to do with the self-measurement website. Furthermore, we also shifted towards a structured analysis of various SMTP server and SPF plugin/SPAM filter combinations to get a less intrusive picture of the problem space. Similarly, we are using passive DNS data to get a better picture of the practical needs in terms of the number of DNS lookups needed for SPF used in production. Of course we will share these results with the community as soon as we have compiled a report. Regarding the website, we have received valuable feedback such as adding a functionality for participants to keep track of their SPF requests history, and providing a form of double-opt-in to ensure people actually control the email addresses requesting a test-mail. We are shutting the website down for a moment to implement them. I would like to apologize again for what happened and thank you so much for the valuable feedback. Sincerely, Taejoong “Tijay” Chung. _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
