Re: Blacklisting based on SPF

[Marc Perkel]

On 10/11/2011 6:49 AM, Matus UHLAR - fantomas wrote:

On 7 Oct 2011 00:28:49 -, John Levine wrote:

Nobody with any interest in delivering the mail that their users want.
The error rate is much, much too high.



On 10/7/2011 12:50 AM, Benny Pedersen wrote:

how ?


On 10.10.11 07:00, Marc Perkel wrote:
All forwarded email would fail SPF testing.  You would be blocking 
all hosted spam filtering services for example.


FUD and bullshit.

such forwarding will break SPF iff the forwarder does not change the 
mail from: address, and in such case it FAKES the return path, since 
it's not the original sender who sent the mail, it's the recipient.
Whoever wishes to get mail forwarded through mailbox that does not 
this kind of rewriting, should configure the forwarder as 
trusted/internal for this case.




http://www.openspf.org/FAQ/Forwarding



--
Marc Perkel - Sales/Support
supp...@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400

Re: Blacklisting based on SPF

[Matus UHLAR - fantomas]

On Wed, 12 Oct 2011 16:08:12 +0200, Matus UHLAR - fantomas wrote:

was this changed or you just continue FUDding?


On 12.10.11 16:18, Benny Pedersen wrote:

From: header is NOT envelope-from header, stop fuding self


From: is _NOT_ "mail from:" and since DKIM has nothing with mail from:, 
I don't see how could forwarding break DKIM, unless modifying message 
content (From: header) which I was not talking about.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #9: Out of error messages.

Re: Blacklisting based on SPF

[Benny Pedersen]

On Wed, 12 Oct 2011 16:08:12 +0200, Matus UHLAR - fantomas wrote:


was this changed or you just continue FUDding?


From: header is NOT envelope-from header, stop fuding self

Re: Blacklisting based on SPF

[Matus UHLAR - fantomas]

On Tue, 11 Oct 2011 17:14:06 +0200, Matus UHLAR - fantomas wrote:


(and possibly list of forwarders who do not rewrite mail from)


On 11.10.11 21:03, Benny Pedersen wrote:
breaks dkim, and instalations that use from: as envelope sender 
header ask for troubles


cite from rfc4686:

DKIM operates entirely on the content (body and selected header
fields) of the message, as defined in RFC 2822 [RFC2822].  The
transmission of messages via SMTP, defined in RFC 2821 [RFC2821], and
such elements as the envelope-from and envelope-to addresses and the
HELO domain are not relevant to DKIM verification.

was this changed or you just continue FUDding?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".

Re: Blacklisting based on SPF

[Matus UHLAR - fantomas]

On Tue, 11 Oct 2011 15:49:36 +0200, Matus UHLAR - fantomas wrote:

such forwarding will break SPF iff the forwarder does not change the
mail from: address, and in such case it FAKES the return path, since
it's not the original sender who sent the mail, it's the recipient.


On 11.10.11 20:55, Benny Pedersen wrote:

it breaks dkim if anything is changed, this is not fud


Well,
- SPF is not DKIM
- DKIM is broken if someone changes the mail content, not the envelope 
  address.


according to some discussions the DKIM seems to have problems with mail 
reformatting by courier MTA. Maybe the specification could be relaxed 
to case insensitive checking of headers...



Whoever wishes to get mail forwarded through mailbox that does not
this kind of rewriting, should configure the forwarder as
trusted/internal for this case.


only trusted_network for the forwarding mta is needed to make spf work


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Silvester Stallone: Father of the RISC concept.

Re: Blacklisting based on SPF

[Benny Pedersen]

On Tue, 11 Oct 2011 17:14:06 +0200, Matus UHLAR - fantomas wrote:


(and possibly list of forwarders who do not rewrite mail from)


breaks dkim, and instalations that use from: as envelope sender header 
ask for troubles

Re: Blacklisting based on SPF

[Benny Pedersen]

On Tue, 11 Oct 2011 15:49:36 +0200, Matus UHLAR - fantomas wrote:

such forwarding will break SPF iff the forwarder does not change the
mail from: address, and in such case it FAKES the return path, since
it's not the original sender who sent the mail, it's the recipient.


it breaks dkim if anything is changed, this is not fud


Whoever wishes to get mail forwarded through mailbox that does not
this kind of rewriting, should configure the forwarder as
trusted/internal for this case.


only trusted_network for the forwarding mta is needed to make spf work

Re: Blacklisting based on SPF

[Matus UHLAR - fantomas]

On 05.10.11 11:01, Julian Yap wrote:

I've noticed some trojans with addresses from usps.com slip through.

Does anyone blacklist based on SPF?


According to SPF definition, all mail that fails SPF check, is forged 
and therefore it should be rejected (in case of FAIL result), or very 
carefully cheked.


In reality, there are problems related to
- mail forwarders who can't tag the mail as forwarded (and thus, they 
  in fact fake the envelope sender)
- misconfigured SPF and misconfigured mailers of companies who do 
  not understand the SPF principle and outsource the mailers outside


usually, people do what you want either by defining their own rule, 
but as it turns out, having something like SPF blacklist would be a 
good idea.


(and possibly list of forwarders who do not rewrite mail from)
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors

Re: Blacklisting based on SPF

[Matus UHLAR - fantomas]

On 7 Oct 2011 00:28:49 -, John Levine wrote:

Nobody with any interest in delivering the mail that their users want.
The error rate is much, much too high.



On 10/7/2011 12:50 AM, Benny Pedersen wrote:

how ?


On 10.10.11 07:00, Marc Perkel wrote:
All forwarded email would fail SPF testing.  You would be blocking 
all hosted spam filtering services for example.


FUD and bullshit.

such forwarding will break SPF iff the forwarder does not change the 
mail from: address, and in such case it FAKES the return path, since 
it's not the original sender who sent the mail, it's the recipient. 

Whoever wishes to get mail forwarded through mailbox that does not this 
kind of rewriting, should configure the forwarder as trusted/internal for 
this case.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.

Re: Blacklisting based on SPF

[David F. Skoll]

On Mon, 10 Oct 2011 07:00:48 -0700
Marc Perkel  wrote:

[Blocking SPF "fail" mail]

> All forwarded email would fail SPF testing.  You would be blocking
> all hosted spam filtering services for example.

Nonsense.  If someone uses a hosted spam filtering servic for inbound mail,
then that person should turn off SPF checking on the back-end completely;
checking SPF and applying policy is the job of the hosted spam filter.
(If you're using a hosted anti-spam service that does *not* allow you
to apply fine-grained SPF policies, then it's time to switch.)

If someone uses a hosted filtering service for outbound mail, then
he/she just needs to publish appropriate SPF records listing the service's
egress IP addresses.

Regards,

David.

Re: Blacklisting based on SPF

[Daniel McDonald]

On 10/10/11 9:00 AM, "Marc Perkel"  wrote:

> 
> 
> On 10/7/2011 12:50 AM, Benny Pedersen wrote:
>> On 7 Oct 2011 00:28:49 -, John Levine wrote:
>>> Nobody with any interest in delivering the mail that their users want.
>>> The error rate is much, much too high.
>> 
>> how ?
>> 
> 
> All forwarded email would fail SPF testing.  You would be blocking all
> hosted spam filtering services for example.

"then you aren't doing it right".

If the hosted filtering is egress, then the address ranges of your egress
filter provider should be in your SPF statement.

If the hosted filtering is ingress, then the address ranges of your ingress
filter provider should be in your trusted-networks, so that spf will look at
the last-untrusted address for the source.

Mail-lists running on sane software will change the envelope address, so
there is no problem there.

So, what other bizarre corner cases are you talking about that break SPF?


-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281

Re: Blacklisting based on SPF

[Benny Pedersen]

On Mon, 10 Oct 2011 07:00:48 -0700, Marc Perkel wrote:

All forwarded email would fail SPF testing.  You would be blocking
all hosted spam filtering services for example.


this is easy to solve in spf or add the forwarding mta sender ip to 
spamassassin trusted_networks, reject msg ALWAYS says this to sender 
that are being rejected, fail is not a spf fault, i still not needing 
forwarded emails at all and i know how to do this from mail host i need 
forward from, if spf i so damm hard to use correct then use dkim :)

Re: Blacklisting based on SPF

[Marc Perkel]

On 10/7/2011 12:50 AM, Benny Pedersen wrote:

On 7 Oct 2011 00:28:49 -, John Levine wrote:

Nobody with any interest in delivering the mail that their users want.
The error rate is much, much too high.


how ?



All forwarded email would fail SPF testing.  You would be blocking all 
hosted spam filtering services for example.


--
Marc Perkel - Sales/Support
supp...@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400

Re: Blacklisting based on SPF

[Dave Warren]

On 10/7/2011 12:17 PM, RW wrote:

On Fri, 07 Oct 2011 20:39:24 +0200
Robert Schetterer wrote:


in my case
there is so less left, passing postscreen, rbls, greylisting,
clamav-milter with sanesecurity and few other smtp checks, that nearly
null i.e
faked paypal mail getting at last to spamassassin where its stopped
mostly by other rules and rejected by spamass-milter, so using spf
check isnt hardly needed anymore,

His point was that SPF isn't there to catch spam, it there to identify
legitimate mail  from selected domains, and prevent it being falsely
identified as spam.


That's pretty much it.  I don't look at it as a spam blocking measure at 
all, but rather, it's utility is to avoid whitelisting forged mail.


Prior to SPF, I was apprehensive about whitelisting anything by domain 
since domains can be trivially forged, especially if it's a well-known 
domain (the domain of a household named company).  By only applying 
whitelist entries to mail that has a SPF or DKIM pass, I can whitelist 
by sender address/domain indiscriminately without fear that a spammer 
can take advantage of @paypal.com whitelists.


To me, false positives are a lot more important than filter misses.  
Users will tolerate a bit of spam, but blocking even a single legitimate 
message is unacceptable (yes, it's a real world risk, but it's still the 
goal), so being able to whitelist safely (completely, or just with a 
score) is critical.


--
Dave Warren, CEO
Hire A Hit Consulting Services
http://ca.linkedin.com/in/davejwarren

Suppressing backscatter (was Re: Blacklisting based on SPF)

[David F. Skoll]

On Fri, 07 Oct 2011 20:47:48 +0100
Martin Gregorie  wrote:

> And, at least for me, its been good for suppressing backscatter: since
> I've had a good SPF record I've has almost none.

Really??  You are very lucky.  We have an SPF record with a "-all"
clause and still get backscatter.  I believe that so few SMTP servers
validate SPF that the amount of backscatter it actually reduces is tiny.

Regards,

David.

Re: Blacklisting based on SPF

[Martin Gregorie]

On Fri, 2011-10-07 at 20:17 +0100, RW wrote:
> On Fri, 07 Oct 2011 20:39:24 +0200
> Robert Schetterer wrote:
> 
> > in my case
> > there is so less left, passing postscreen, rbls, greylisting,
> > clamav-milter with sanesecurity and few other smtp checks, that nearly
> > null i.e
> > faked paypal mail getting at last to spamassassin where its stopped
> > mostly by other rules and rejected by spamass-milter, so using spf
> > check isnt hardly needed anymore,
> 
> His point was that SPF isn't there to catch spam, it there to identify
> legitimate mail  from selected domains, and prevent it being falsely
> identified as spam.
>
And, at least for me, its been good for suppressing backscatter: since
I've had a good SPF record I've has almost none. That is all I use it
for.

Martin

Re: Blacklisting based on SPF

[RW]

On Fri, 07 Oct 2011 20:39:24 +0200
Robert Schetterer wrote:

> in my case
> there is so less left, passing postscreen, rbls, greylisting,
> clamav-milter with sanesecurity and few other smtp checks, that nearly
> null i.e
> faked paypal mail getting at last to spamassassin where its stopped
> mostly by other rules and rejected by spamass-milter, so using spf
> check isnt hardly needed anymore,

His point was that SPF isn't there to catch spam, it there to identify
legitimate mail  from selected domains, and prevent it being falsely
identified as spam.

Re: Blacklisting based on SPF

[Robert Schetterer]

Am 07.10.2011 20:24, schrieb Dave Warren:
> On 10/7/2011 1:12 AM, Robert Schetterer wrote:
>> in my eyes the whole idea of spf was broken from beginning
>> but do what you want, no need for flame
>> in my real world it makes more problems then helping in antispam
>> i removed spf checks from my servers, in spamd its used with nearly no
>> points
>> there are better more effective ways to reject unwanted mails
>> but youre free, do it like you want, analyse your logs
>> then you will see, if it helps at your side
>> everbody has its own spam, there are less
>> universal recommands, antispam is daily work in analyse and reaction
> 
> The trick with SPF is to stop using it for rejecting mail, it doesn't do
> a good job at that.  

jep

It's not really a spam-fighting technique at all,
> as much as an identification technique.  What you do with that

jep

> identification is where it gets interesting; what it does do well is
> allow you to whitelist known-good (or at least wanted) senders, allowing
> you to exempt mail you know you want from expensive content filtering.
> 
> PayPay is a good example, love 'em or hate 'em, there's no point running
> mail from PayPal through any sort of content based spam filtering, and
> SPF can tell you that a message claiming to be from PayPal really is
> from PayPal (but it can't reliably tell you that a message *isn't* from
> PayPal, due to forwarding, possible DNS problems, possible SPF
> configuration errors, etc)

in my case
there is so less left, passing postscreen, rbls, greylisting,
clamav-milter with sanesecurity and few other smtp checks, that nearly
null i.e
faked paypal mail getting at last to spamassassin where its stopped
mostly by other rules and rejected by spamass-milter, so using spf check
isnt hardly needed anymore, until in most cases its useless
or does make trouble, but feel free using spf-checks as you want
it may help in some setups



> 
> 


-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Re: Blacklisting based on SPF

[Dave Warren]

On 10/7/2011 1:12 AM, Robert Schetterer wrote:

in my eyes the whole idea of spf was broken from beginning
but do what you want, no need for flame
in my real world it makes more problems then helping in antispam
i removed spf checks from my servers, in spamd its used with nearly no
points
there are better more effective ways to reject unwanted mails
but youre free, do it like you want, analyse your logs
then you will see, if it helps at your side
everbody has its own spam, there are less
universal recommands, antispam is daily work in analyse and reaction


The trick with SPF is to stop using it for rejecting mail, it doesn't do 
a good job at that.  It's not really a spam-fighting technique at all, 
as much as an identification technique.  What you do with that 
identification is where it gets interesting; what it does do well is 
allow you to whitelist known-good (or at least wanted) senders, allowing 
you to exempt mail you know you want from expensive content filtering.


PayPay is a good example, love 'em or hate 'em, there's no point running 
mail from PayPal through any sort of content based spam filtering, and 
SPF can tell you that a message claiming to be from PayPal really is 
from PayPal (but it can't reliably tell you that a message *isn't* from 
PayPal, due to forwarding, possible DNS problems, possible SPF 
configuration errors, etc)



--
Dave Warren, CEO
Hire A Hit Consulting Services
http://ca.linkedin.com/in/davejwarren

Re: Blacklisting based on SPF

[Ned Slider]

On 07/10/11 13:27, Daniel McDonald wrote:


Something like this Unverified Yahoo rule I shameless stole from Mark
Martinec:



I have some similar rules...


header __L_FROM_Y1   From:addr =~ m{[@.]yahoo\.com$}i
header __L_FROM_Y2   From:addr =~ m{\@yahoo\.com\.(ar|br|cn|hk|my|sg)$}i
header __L_FROM_Y3   From:addr =~ m{\@yahoo\.co\.(id|in|jp|nz|uk)$}i
header __L_FROM_Y4   From:addr =~
m{\@yahoo\.(ca|de|dk|es|fr|gr|ie|it|pl|se)$}i


and thought I'd share my updated list of Yahoo TLDs as you're missing a few:

header		__LOCAL_FROM_YAHOO1	From:addr =~ 
/\@yahoo\.com\.(ar|br|cn|hk|mx|my|ph|sg)$/i
header		__LOCAL_FROM_YAHOO2	From:addr =~ 
/\@yahoo\.co\.(id|in|jp|nz|th|uk)$/i
header		__LOCAL_FROM_YAHOO3	From:addr =~ 
/\@yahoo\.(ca|cn|de|dk|es|fr|gr|ie|in|it|pl|ru|se)$/i

Re: Blacklisting based on SPF

[Daniel McDonald]

On 10/7/11 3:49 AM, "Julian Yap"  wrote:

> On Thu, Oct 6, 2011 at 3:09 PM, David F. Skoll  
> wrote:
>> On 7 Oct 2011 00:28:49 -
>> "John Levine"  wrote:
>> 
 Does anyone blacklist based on SPF?
>> 
>>> Nobody with any interest in delivering the mail that their users want.
>>> The error rate is much, much too high.
>> 
>> It depends.  I very confidently blacklist mail from "roaringpenguin.com
>>  "
>> that fails to pass SPF.  That's my own domain, of course.
> 
> What do your rules look like for this scenario?
> 

Something like this Unverified Yahoo rule I shameless stole from Mark
Martinec:

header __L_ML1   Precedence =~ m{\b(list|bulk)\b}i
header __L_ML2   exists:List-Id
header __L_ML3   exists:List-Post
header __L_ML4   exists:Mailing-List
header __L_HAS_SNDR  exists:Sender
meta   __L_VIA_ML__L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 ||
__L_HAS_SNDR
header __L_FROM_Y1   From:addr =~ m{[@.]yahoo\.com$}i
header __L_FROM_Y2   From:addr =~ m{\@yahoo\.com\.(ar|br|cn|hk|my|sg)$}i
header __L_FROM_Y3   From:addr =~ m{\@yahoo\.co\.(id|in|jp|nz|uk)$}i
header __L_FROM_Y4   From:addr =~
m{\@yahoo\.(ca|de|dk|es|fr|gr|ie|it|pl|se)$}i
meta   __L_FROM_YAHOO __L_FROM_Y1 || __L_FROM_Y2 || __L_FROM_Y3 ||
__L_FROM_Y4
header __L_FROM_GMAIL From:addr =~ m{\@gmail\.com$}i
meta L_UNVERIFIED_YAHOO  !DKIM_VALID && !DKIM_VALID_AU && __L_FROM_YAHOO
&& !__L_VIA_ML
priority L_UNVERIFIED_YAHOO  500
scoreL_UNVERIFIED_YAHOO  2.5
meta L_UNVERIFIED_GMAIL  !DKIM_VALID && !DKIM_VALID_AU && __L_FROM_GMAIL
&& !__L_VIA_ML
priority L_UNVERIFIED_GMAIL  500
scoreL_UNVERIFIED_GMAIL  2.5



It would be nice to have a construct like "blacklist_unless_spf" or
"blacklist_unless_auth"  that did all of this for me...


-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281

Re: Blacklisting based on SPF

[David F. Skoll]

On Thu, 6 Oct 2011 22:49:47 -1000
Julian Yap  wrote:

> What do your rules look like for this scenario? [blocking for SPF
> fail for select domains.]

Ah, well.  We don't implement those policies with SpamAssassin, so I can't
post anything useful.

Regards,

David.

Re: Blacklisting based on SPF

[Benny Pedersen]

On Thu, 6 Oct 2011 22:49:47 -1000, Julian Yap wrote:

What do your rules look like for this scenario?


blacklist_from *@example.org
whitelist_from_spf *@example.org

adjust so blacklist score will be neotral for spf pass users

dont use *@example.org if you need to have strict whitelist of specific 
sender


so if spf fails it will be added blacklist_from score, if spf pass its 
neotral score

Re: Blacklisting based on SPF

[Julian Yap]

On Thu, Oct 6, 2011 at 3:09 PM, David F. Skoll wrote:

> On 7 Oct 2011 00:28:49 -
> "John Levine"  wrote:
>
> > >Does anyone blacklist based on SPF?
>
> > Nobody with any interest in delivering the mail that their users want.
> > The error rate is much, much too high.
>
> It depends.  I very confidently blacklist mail from "roaringpenguin.com"
> that fails to pass SPF.  That's my own domain, of course.
>
> With somewhat less (but still pretty high) confidence, I block mail
> from paypal.com and ebay.com if it fails SPF (including "softfail")
>
> SPF is most effective when used judiciously for specific domains.  It's
> pretty useless to make blanket SPF rules that cover unknown domains.
>
>
What do your rules look like for this scenario?

Julian

Re: Blacklisting based on SPF

[Robert Schetterer]

Am 07.10.2011 10:03, schrieb Benny Pedersen:
> On Fri, 07 Oct 2011 09:54:09 +0200, Robert Schetterer wrote:
>> but wouldnt recommend it anyway
> 
> why would i like to whitelist a unknown spammer ?
> 
> thinking more about it would get me mad :-)
> 
> 

in my eyes the whole idea of spf was broken from beginning
but do what you want, no need for flame
in my real world it makes more problems then helping in antispam
i removed spf checks from my servers, in spamd its used with nearly no
points
there are better more effective ways to reject unwanted mails
but youre free, do it like you want, analyse your logs
then you will see, if it helps at your side
everbody has its own spam, there are less
universal recommands, antispam is daily work in analyse and reaction
-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Re: Blacklisting based on SPF

[Benny Pedersen]

On Fri, 07 Oct 2011 09:54:09 +0200, Robert Schetterer wrote:

but wouldnt recommend it anyway


why would i like to whitelist a unknown spammer ?

thinking more about it would get me mad :-)

Re: Blacklisting based on SPF

[Benny Pedersen]

On Thu, 6 Oct 2011 21:09:59 -0400, David F. Skoll wrote:

SPF is most effective when used judiciously for specific domains.  
It's

pretty useless to make blanket SPF rules that cover unknown domains.


whitelist_from_spf rules ? :-)

my rule of thump is:

def_whitelist_from_spf *@example.org
whitelist_from_spf u...@example.net

so give more negstive scores to more restricted spf pass

Re: Blacklisting based on SPF

[Robert Schetterer]

Am 07.10.2011 09:50, schrieb Benny Pedersen:
> On 7 Oct 2011 00:28:49 -, John Levine wrote:
>> Nobody with any interest in delivering the mail that their users want.
>> The error rate is much, much too high.
> 
> how ?
> 
> 

good spammers , usally have valid spf dns entries
so if you want blacklist with spf do it selective
i.e with some milter
but wouldnt recommend it anyway
-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Re: Blacklisting based on SPF

[Benny Pedersen]

On 7 Oct 2011 00:28:49 -, John Levine wrote:
Nobody with any interest in delivering the mail that their users 
want.

The error rate is much, much too high.


how ?

Re: Blacklisting based on SPF

[David F. Skoll]

On 7 Oct 2011 00:28:49 -
"John Levine"  wrote:

> >Does anyone blacklist based on SPF?

> Nobody with any interest in delivering the mail that their users want.
> The error rate is much, much too high.

It depends.  I very confidently blacklist mail from "roaringpenguin.com"
that fails to pass SPF.  That's my own domain, of course.

With somewhat less (but still pretty high) confidence, I block mail
from paypal.com and ebay.com if it fails SPF (including "softfail")

SPF is most effective when used judiciously for specific domains.  It's
pretty useless to make blanket SPF rules that cover unknown domains.

Regards,

David.

Re: Blacklisting based on SPF

[John Levine]

In article 
 you write:
>-=-=-=-=-=-
>
>I've noticed some trojans with addresses from usps.com slip through.
>
>Does anyone blacklist based on SPF?

Nobody with any interest in delivering the mail that their users want.
The error rate is much, much too high.

R's,
John

Re: Blacklisting based on SPF

[Benny Pedersen]

On Wed, 5 Oct 2011 11:01:12 -1000, Julian Yap wrote:

Ive noticed some trojans with addresses from usps.com [1] slip
through.


ups.com ?


Does anyone blacklist based on SPF?


not needed since all spf domains is blacklisted, and scored neotral in 
spamassassin, until you use whitelist_from_spf or def_whitelist_from_spf 
sender email, and it will only gives neative score if its passing


also remember From: is not envelope sender, does spf use that header in 
your test ?


if it does then your spf test is brokken

have you set envelope_sender_header in local.cf ?

perldoc Mail::SpamAssassin::Conf

I took a look at the source for SpamAssassin/Plugin/SPF.pm but it 
only

has evaluation rules for whitelisting:
   $self->register_eval_rule ("check_for_spf_whitelist_from");
  $self->register_eval_rule ("check_for_def_spf_whitelist_from");


its not needed to have blacklist

Re: Blacklisting based on SPF

[Michael Scheidell]

On 10/5/11 5:01 PM, Julian Yap wrote:
I've noticed some trojans with addresses from usps.com 
 slip through.


Does anyone blacklist based on SPF?

I took a look at the source for SpamAssassin/Plugin/SPF.pm but it only 
has evaluation rules for whitelisting:

  $self->register_eval_rule ("check_for_spf_whitelist_from");
  $self->register_eval_rule ("check_for_def_spf_whitelist_from");

Thanks,
Julian

I tried blacklist_from *@usps.com with an whitelist_from.  (would even 
themselves out...)
problem is.. if I send to xmail, and xmail fwds (incorrectly), OR, dns 
doesn't answer in time, you lose email.


best to write a metarule.  put your def_ whitelist from (7 points), and 
set up some metarules.




--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation

   * Best Mobile Solutions Product of 2011
   * Best Intrusion Prevention Product
   * Hot Company Finalist 2011
   * Best Email Security Product
   * Certified SNORT Integrator

__
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com/
__