RE: [Declude.JunkMail] SPFPass - good or bad?
I use SPFFail to add weight to test to a message, but like you I have also seen spammers creating SPF records, which in turn allows them to get lower score with SPFPass. As a result, we no long find that SPFPass is a useful in detecting spam. David Kornitz / Cornerstone Computer Solutions, Inc, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell Sent: Thursday, September 08, 2005 12:28 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] SPFPass - good or bad? I've noticed a bunch of spam with SPFPass grades that have negated the spam databases (I have SPFPass at -5) ... is anyone finding that SPFPass is working with spammers using legitimate ISP's? david - Internet Dental Forum www.internetdentalforum.org Dentalcast Podcast www.dentalcast.net --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPFPass - good or bad?
Hi David - I like the spfpass test - coupled with filters it does help aginst false positives. [I prepend all my tests with the test type - thanks Kami! - it makes these filters easier to write -] Here is my spfgood filter - I score it with a -12: SKIPIFWEIGHT26 TESTSFAILEDENDNOTCONTAINSTEST.SPFPASS TESTSFAILEDENDCONTAINSIP4R. TESTSFAILEDENDCONTAINSDNSBL. TESTSFAILEDENDCONTAINSRHSBL. TESTSFAILEDENDCONTAINSSNIFFER.. TESTSFAILEDENDCONTAINSEXTERNAL. TESTSFAILEDENDCONTAINSIPFILE.HOSTS TESTSFAILEDENDCONTAINSIPFILE.NETWORK TESTSFAILEDENDCONTAINSIPFILE.SUSPICIOUS #if it gets to here it is is clean REMOTEIP0CONTAINS. Here is my spfmaybe combo filter which I score with a -3: SKIPIFWEIGHT26 TESTSFAILEDENDNOTCONTAINSTEST.SPFPASS TESTSFAILEDENDCONTAINS.SBL TESTSFAILEDENDCONTAINS.XBL TESTSFAILEDENDCONTAINS.CBL TESTSFAILEDENDCONTAINS.MPL #if it gets to here it is not listed in dnsbl's I trust TESTSFAILED0CONTAINSIP4RW. [whitelist ip4r tests] TESTSFAILED0CONTAINSDNSBLW. [whitelist dnsbl tests] -Nick David Dodell wrote: I've noticed a bunch of spam with SPFPass grades that have negated the spam databases (I have SPFPass at -5) ... is anyone finding that SPFPass is working with spammers using legitimate ISP's? david - Internet Dental Forum www.internetdentalforum.org Dentalcast Podcast www.dentalcast.net --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPFPass - good or bad?
David, Since the start of SPF I have seen a steady adoption of SPF by spammers. Their really is nothing that stops them from using it. My suggestion is not applying negative weight for SPFPASS. Darrell --- invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com - Original Message - From: David Dodell [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, September 08, 2005 1:28 AM Subject: [Declude.JunkMail] SPFPass - good or bad? I've noticed a bunch of spam with SPFPass grades that have negated the spam databases (I have SPFPass at -5) ... is anyone finding that SPFPass is working with spammers using legitimate ISP's? david - Internet Dental Forum www.internetdentalforum.org Dentalcast Podcast www.dentalcast.net --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPFPass - good or bad?
Be careful of using spfpass. Spammers can use SPF, too! We do not give any credit for passing SPF, only a penalty for failing which too many email admins set up but allow their networks to send email from machines not listed in their SPF record :(. Darin. - Original Message - From: Nick Hayer [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, September 08, 2005 8:40 AM Subject: Re: [Declude.JunkMail] SPFPass - good or bad? Hi David - I like the spfpass test - coupled with filters it does help aginst false positives. [I prepend all my tests with the test type - thanks Kami! - it makes these filters easier to write -] Here is my spfgood filter - I score it with a -12: SKIPIFWEIGHT26 TESTSFAILEDENDNOTCONTAINSTEST.SPFPASS TESTSFAILEDENDCONTAINSIP4R. TESTSFAILEDENDCONTAINSDNSBL. TESTSFAILEDENDCONTAINSRHSBL. TESTSFAILEDENDCONTAINSSNIFFER.. TESTSFAILEDENDCONTAINSEXTERNAL. TESTSFAILEDENDCONTAINSIPFILE.HOSTS TESTSFAILEDENDCONTAINSIPFILE.NETWORK TESTSFAILEDENDCONTAINSIPFILE.SUSPICIOUS #if it gets to here it is is clean REMOTEIP0CONTAINS. Here is my spfmaybe combo filter which I score with a -3: SKIPIFWEIGHT26 TESTSFAILEDENDNOTCONTAINSTEST.SPFPASS TESTSFAILEDENDCONTAINS.SBL TESTSFAILEDENDCONTAINS.XBL TESTSFAILEDENDCONTAINS.CBL TESTSFAILEDENDCONTAINS.MPL #if it gets to here it is not listed in dnsbl's I trust TESTSFAILED0CONTAINSIP4RW. [whitelist ip4r tests] TESTSFAILED0CONTAINSDNSBLW. [whitelist dnsbl tests] -Nick David Dodell wrote: I've noticed a bunch of spam with SPFPass grades that have negated the spam databases (I have SPFPass at -5) ... is anyone finding that SPFPass is working with spammers using legitimate ISP's? david - Internet Dental Forum www.internetdentalforum.org Dentalcast Podcast www.dentalcast.net --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPFPass - good or bad?
Looking at the last 80.000 messages on our Mailserver SPFPASS has had a positive result on 11% Following the final weight after all spam tests 7 from this 11% was right. The other 4% was a wrong result. SPFFAIL will only catch around 1% of all processed messages. Nearly all of the catched right as spam. Only 0.12% has had a wrong result. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell Sent: Thursday, September 08, 2005 7:28 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] SPFPass - good or bad? I've noticed a bunch of spam with SPFPass grades that have negated the spam databases (I have SPFPass at -5) ... is anyone finding that SPFPass is working with spammers using legitimate ISP's? david - Internet Dental Forum www.internetdentalforum.org Dentalcast Podcast www.dentalcast.net --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPFPass - good or bad?
On 09:01 AM 9/8/2005 -0400, it would appear that Darin Cox wrote: Be careful of using spfpass. Spammers can use SPF, too! We do not give any credit for passing SPF, only a penalty for failing which too many email admins set up but allow their networks to send email from machines not listed in their SPF record :(. Darin. Personally, I find SPF to be worthless in all cases. To begin with, the only SPAM it could halt (in a perfect setup) is SPAM sent through unauthorized servers. As already noted, SPAM can be sent legitimately from a server using SPF. Also, current best practices break SPF. The current wisdom is to block outgoing port 25 and force the clients to only send mail through the local mail server. That sounds good on the surface but such a practice and SPF cannot live together. Example: Employer QRS.com has a beautiful SPF record, clean SPAM record and encourages their employees to telecommute. John, a QRS.com employee, is working from home today and needs to send some updated information to one of QRS.com's customer. John's ISP (ISPXYZ) blocks outbound 25 and forces its clients to send all email through the ISPXYZ mail server. John, not wanting to confuse his customers by sending the information via his ISPXYZ account, uses SMTP Auth and sends his email using his @QRS.com address via the IXPXYZ server. That message, which is completely legitimate AND which follows all current best practices, will fail any SPF test. True, John could request that ISPXYZ be added to the QRS.com SPF record but do you really want to keep track of every mail server that your employees may have legitimate cause to use in sending mail from your domain? I know I don't and we have only a small number of employees and would only have to deal with this while employees are out of town attending conferences or training. The only way SPF could be used reliably is if A) port 25 were thrown wide open again and B) mail servers were reconfigured to ONLY send mail for their own domain. Then in the above scenario, John sends his QRS.com mail from home via the QRS.com mail server and both QRS.com's and ISPXYZ's mail servers would refuse to send mail for any domain but their own. Then all QRS.com's mail would pass SPF and all the mail that ISPXYZ's server sends would also pass SPF. Tyran Ormond Programmer/LAN Administrator Central Valley Water Reclamation Facility [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPFPass - good or bad?
John, not wanting to confuse his customers by sending the information via his ISPXYZ account, uses SMTP Auth and sends his email using his @QRS.com address via the IXPXYZ server. That would not be wise. Instead, he'll use SMTP AUTH on port 587 to send his mail using the @QRS.com address via the QRS.com mail server. Declude WHITELIST AUTH takes priority over SPF and Imail 8.2x is capable of answering on more than one port (e.g., 587). I've been an early adopter of SPF, running it for quick a long time and don't have any problem with my own customers failing SPF. SPFPASS has to be used with care, I agree. If spammers use SPFPASS then their SPF record makes it easy for us to block all their permitted IP addresses, since they are committing themselves to those. I think it's a good idea to first check the IP blacklists and NOT give credit for SPFPASS unless the IP blacklists come back clean. In essence, you are giving SPFPASS credit only to counteract some other tests (such as content and header checking). (One could even go a step further and check multiple trusted blacklist sources - if an IP is listed in several, the SPFPASS could be used to ADD weight - but that's just a theory.) Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tyran Ormond Sent: Thursday, September 08, 2005 09:59 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] SPFPass - good or bad? On 09:01 AM 9/8/2005 -0400, it would appear that Darin Cox wrote: Be careful of using spfpass. Spammers can use SPF, too! We do not give any credit for passing SPF, only a penalty for failing which too many email admins set up but allow their networks to send email from machines not listed in their SPF record :(. Darin. Personally, I find SPF to be worthless in all cases. To begin with, the only SPAM it could halt (in a perfect setup) is SPAM sent through unauthorized servers. As already noted, SPAM can be sent legitimately from a server using SPF. Also, current best practices break SPF. The current wisdom is to block outgoing port 25 and force the clients to only send mail through the local mail server. That sounds good on the surface but such a practice and SPF cannot live together. Example: Employer QRS.com has a beautiful SPF record, clean SPAM record and encourages their employees to telecommute. John, a QRS.com employee, is working from home today and needs to send some updated information to one of QRS.com's customer. John's ISP (ISPXYZ) blocks outbound 25 and forces its clients to send all email through the ISPXYZ mail server. John, not wanting to confuse his customers by sending the information via his ISPXYZ account, uses SMTP Auth and sends his email using his @QRS.com address via the IXPXYZ server. That message, which is completely legitimate AND which follows all current best practices, will fail any SPF test. True, John could request that ISPXYZ be added to the QRS.com SPF record but do you really want to keep track of every mail server that your employees may have legitimate cause to use in sending mail from your domain? I know I don't and we have only a small number of employees and would only have to deal with this while employees are out of town attending conferences or training. The only way SPF could be used reliably is if A) port 25 were thrown wide open again and B) mail servers were reconfigured to ONLY send mail for their own domain. Then in the above scenario, John sends his QRS.com mail from home via the QRS.com mail server and both QRS.com's and ISPXYZ's mail servers would refuse to send mail for any domain but their own. Then all QRS.com's mail would pass SPF and all the mail that ISPXYZ's server sends would also pass SPF. Tyran Ormond Programmer/LAN Administrator Central Valley Water Reclamation Facility [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPFPass - good or bad?
Not true. We find SPF to be extremely useful in stopping spoofing from domains we host, and there really is no reason for anyone to fail SPF... when it happens it's the result of poor management on the part of the mail admins. Regarding the situation you outlined, SPF can be easily configured to specify the server that mail is forced through as the sending server. SPF records can also be designed to inherit other SPF records, so if an ISP has SPF defined, then customers who manage their own SPF records can specify to inherit the ISPs SPF record, thus avoiding having to know and specify all of the ISPs sending servers. So, the example you gave is incomplete and can easily be handled by SPF. Darin. - Original Message - From: Tyran Ormond [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, September 08, 2005 9:58 AM Subject: Re: [Declude.JunkMail] SPFPass - good or bad? On 09:01 AM 9/8/2005 -0400, it would appear that Darin Cox wrote: Be careful of using spfpass. Spammers can use SPF, too! We do not give any credit for passing SPF, only a penalty for failing which too many email admins set up but allow their networks to send email from machines not listed in their SPF record :(. Darin. Personally, I find SPF to be worthless in all cases. To begin with, the only SPAM it could halt (in a perfect setup) is SPAM sent through unauthorized servers. As already noted, SPAM can be sent legitimately from a server using SPF. Also, current best practices break SPF. The current wisdom is to block outgoing port 25 and force the clients to only send mail through the local mail server. That sounds good on the surface but such a practice and SPF cannot live together. Example: Employer QRS.com has a beautiful SPF record, clean SPAM record and encourages their employees to telecommute. John, a QRS.com employee, is working from home today and needs to send some updated information to one of QRS.com's customer. John's ISP (ISPXYZ) blocks outbound 25 and forces its clients to send all email through the ISPXYZ mail server. John, not wanting to confuse his customers by sending the information via his ISPXYZ account, uses SMTP Auth and sends his email using his @QRS.com address via the IXPXYZ server. That message, which is completely legitimate AND which follows all current best practices, will fail any SPF test. True, John could request that ISPXYZ be added to the QRS.com SPF record but do you really want to keep track of every mail server that your employees may have legitimate cause to use in sending mail from your domain? I know I don't and we have only a small number of employees and would only have to deal with this while employees are out of town attending conferences or training. The only way SPF could be used reliably is if A) port 25 were thrown wide open again and B) mail servers were reconfigured to ONLY send mail for their own domain. Then in the above scenario, John sends his QRS.com mail from home via the QRS.com mail server and both QRS.com's and ISPXYZ's mail servers would refuse to send mail for any domain but their own. Then all QRS.com's mail would pass SPF and all the mail that ISPXYZ's server sends would also pass SPF. Tyran Ormond Programmer/LAN Administrator Central Valley Water Reclamation Facility [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPFPass - good or bad?
On 10:32 AM 9/8/2005 -0400, it would appear that Darin Cox wrote: Regarding the situation you outlined, SPF can be easily configured to specify the server that mail is forced through as the sending server. SPF records can also be designed to inherit other SPF records, so if an ISP has SPF defined, then customers who manage their own SPF records can specify to inherit the ISPs SPF record, thus avoiding having to know and specify all of the ISPs sending servers. That still means that I have to setup includes for each of the possible sending domains, still unacceptable and reason enough for me to discard SPF completely. Tyran Ormond Programmer/LAN Administrator Central Valley Water Reclamation Facility [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPFPass - good or bad?
You have to set up an SPF record for each of the domains anyway, since the SPF record resides in the DNS of the sending domain, so I don't see that it's a big deal. Bottom line: It's a useful tool. Not as useful as originally intended, but still useful. Use it or don't at your discretion. Darin. - Original Message - From: Tyran Ormond [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, September 08, 2005 11:09 AM Subject: Re: [Declude.JunkMail] SPFPass - good or bad? On 10:32 AM 9/8/2005 -0400, it would appear that Darin Cox wrote: Regarding the situation you outlined, SPF can be easily configured to specify the server that mail is forced through as the sending server. SPF records can also be designed to inherit other SPF records, so if an ISP has SPF defined, then customers who manage their own SPF records can specify to inherit the ISPs SPF record, thus avoiding having to know and specify all of the ISPs sending servers. That still means that I have to setup includes for each of the possible sending domains, still unacceptable and reason enough for me to discard SPF completely. Tyran Ormond Programmer/LAN Administrator Central Valley Water Reclamation Facility [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPFPass - good or bad?
Tyran Ormond wrote: That still means that I have to setup includes for each of the possible sending domains, still unacceptable and reason enough for me to discard SPF completely. Well be advised not all your mail will get delivered. I have some insurance agencies whose mail will bounce if I did not have valid spf recs for their domains. I know this because its happened. :) [The setup is kake; some dns programs can even synthesize spf recs for local domains. SimpleDns for one will ] -Nick Tyran Ormond Programmer/LAN Administrator Central Valley Water Reclamation Facility [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SPFPass - good or bad?
I've noticed a bunch of spam with SPFPass grades that have negated the spam databases (I have SPFPass at -5) ... is anyone finding that SPFPass is working with spammers using legitimate ISP's? david - Internet Dental Forum www.internetdentalforum.org Dentalcast Podcast www.dentalcast.net --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPFPass - good or bad?
We only use SPFFAIL and add weight. We stay away from negative weighting. SPFPASS just means that the senderdomain is coming from an approved mail server. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell Sent: Wednesday, September 07, 2005 10:28 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] SPFPass - good or bad? I've noticed a bunch of spam with SPFPass grades that have negated the spam databases (I have SPFPass at -5) ... is anyone finding that SPFPass is working with spammers using legitimate ISP's? david - Internet Dental Forum www.internetdentalforum.org Dentalcast Podcast www.dentalcast.net --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
