Re: [SLUG] Spam - use of SPF
On 10/01/07, Howard Lowndes <[EMAIL PROTECTED]> wrote: Just out of curiosity, and because I am procrastinating about doing something else, I ran a quick analysis across my mail log file to see what the extent of the use of SPF is: pass29517 neutral 30354 softfail31082 none4783 unkown 31143 I remember seeing a mention of SPF and SenderID(?) a while ago concluding that actually spammers were the first to rush to get themselves the right records, virtually to the point that finding an SPF record could increase the probability that you are dealing with a spammer (not that I'd suggest anyone to use such a rule by itself, e.g. Gmail/Yahoo mail would fail such a rule, filtering Hotmail is probably a good idea anyway :). --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Spam - use of SPF
Amos Shapira wrote: On 10/01/07, Howard Lowndes <[EMAIL PROTECTED]> wrote: Just out of curiosity, and because I am procrastinating about doing something else, I ran a quick analysis across my mail log file to see what the extent of the use of SPF is: pass29517 neutral 30354 softfail31082 none4783 unkown 31143 I remember seeing a mention of SPF and SenderID(?) a while ago concluding that actually spammers were the first to rush to get themselves the right records, virtually to the point that finding an SPF record could increase the probability that you are dealing with a spammer (not that I'd suggest anyone to use such a rule by itself, e.g. Gmail/Yahoo mail would fail such a rule, filtering Hotmail is probably a good idea anyway :). That was entirely not the point of SPF though. Merely HAVING an SPF record doesn't make you less of a spammer. It does however remove mail server spoofing and provide a verified identity for the mail servers. You know the people sending you mail are who they say they are. And once you know for sure that they are who they say they are, you can them use that identity to work out if they are goodies or baddies properly based on who they are. So it provides a platform for identity-based filtering. The spammers having SPF records merely forced them to come out openly about who they were. Adam K -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Spam - use of SPF
On 10/01/07, Adam Kennedy <[EMAIL PROTECTED]> wrote: That was entirely not the point of SPF though. (rest deleted for brevity). All true, but the bottom line was that at some stage you could highly correlate between finding an SPF/senderId record and figuring that you are dealing with a spamming domain. But anyway, it's almost a theoretical discussion - even with Hawards numbers not contradicting this, I'm pretty sure it's not practical to do much with this info beyond maybe being able to more tightly bind the negative reputation of a spammer to the domain/id he used to send the spam from. --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Spam - use of SPF
Amos Shapira wrote: I'm pretty sure it's not practical to do much with this info beyond maybe being able to more tightly bind the negative reputation of a spammer to the domain/id he used to send the spam from. Correct. And it just so happens that the creator of SPF has a startup going called Karma for aggregating massive amounts of reputation data. :) Adam K -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Spam - use of SPF
On 10/01/2007, at 2:51 PM, Howard Lowndes wrote: Just out of curiosity, and because I am procrastinating about doing something else, I ran a quick analysis across my mail log file to see what the extent of the use of SPF is: pass29517 neutral 30354 softfail31082 none4783 unkown 31143 "pass" = SPF record found and mail sender is kosher "neutral" = SPF record found but we'll sit on the fence "softfail" = SPF record found and the mail sender is not kosher "none" = the DNS does not have a SPF TXT record "unknown" = we couldn't find any DNS server for the sender address Others have made some good points but I'll throw in the last omission. SPF completely falls in a heap when you forward mail at the SMTP level (think ".forward" files and other methods). I send a message to my account at Uni, it then forwards it to me at a different address but DOESN'T rewrite the envelope sender. Bzzzt - SPF fail. Considering the number of systems that forward mail to me, SPF is more a pain than anything else. I've found good RBL's (at the SMTP level, as well as further upstream like SpamAssassin) mitigate the flow of spam better than SPF ever has (could). Cheers, James smime.p7s Description: S/MIME cryptographic signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
