On Thu, Apr 23, 2009 at 03:32:49PM +1000, Aaron Mason wrote: > On Thu, Apr 23, 2009 at 10:30 AM, Stuart Henderson <s...@spacehopper.org> > wrote: > > > > I see a tiny little problem with this method... sometimes people send > > spam from domains whose DNS they control. > > If this is the case, then you have an almost direct pointer to the cause. > > The only way this wouldn't work is if the SPF records get spoofed as a > result of a lazy sysadmin not updating the DNS server with a more > secure version.
Huh? Spammers have been using throw away domains for ages. Adding a SPF record to their own domains has been trivial. No spoofing required. Basically, you're accepting input from the bad guys and treating it as valid and trusted. Bad idea. > You could blacklist domains that fraudulently pass the SPF filter, but > that would defeat the purpose - you'd be working as hard as you would > be if you were maintaining manual whitelists or blacklists. Auto-whitelisting based on input from the spammer is bad. You may as well save yourself the trouble and not use spamd.
