On Dec 12, 2006, at 6:46 PM, Phil Barnett wrote:
On Tuesday 12 December 2006 07:28, JamesDR wrote:
Sounds like a good spam sign to me. Let the spammers put 0.0.0.0/0 in
their spf records, I'll pop in 3 points for good measure.
But, you are making some assumptions at this point and that is the
crux of why
SPF can't work very well.
Say you give points for that one. So, where do you draw the line.
Do you give
points for (for example) 123.0.0.0/8? What if that is someone's
legitimate
domain space?
Bot masters can easily set up SPF addresses that will encompass
giant subnets
of bots. You'll never know where to draw the line.
Repeat after me: SPF is not an anti-spam solution. It is an address
validation solution.
If a spammer puts 0.0.0.0/0 in his SPF record, or creates one that
covers an entire botnet, great! When you get that spam, you know
with 100% certainty that it really came from spammersdomain.biz, and
you can feel safe in blacklisting that domain.
Similarly, if a legit domain sets up a tight enough SPF record, you
can whitelist the combination of that domain with an SPF pass (i.e.
SA's whitelist_from_spf).
Don't think of SPF as a magic bullet. Think of it as one more piece
of evidence you can use for building your case.
From that standpoint, there's nothing wrong with setting up rules
based on the breadth of an SPF record. Just treat them like any
other SA rule, like whether the From: line has a name, or whether the
subject is missing vowels, etc. Some legit mail is HTML (sorry, it's
true). Some legit mail has no name in the From line. Some legit
mail even consists of a mostly-numeric sender with no name, an image
attachment, and not much else. (Ever seen someone send an image from
a camera phone to an email address?) But we still use rules that
track those traits because, when combined with other rules and a
balanced score set, they help classify mail.
