On Mon, 2007-08-27 at 09:47 -0400, Jason Bertoch wrote:
> On Monday, August 27, 2007 9:27 AM Magnus Holmgren wrote:
>
> > For spammers to be able to send SPF-authenticated spam using botnets,
> > they usually have to authorize ridiculously large address blocks, for
> > example with "+all" or "+a:0.0.0.0/2 +a:64.0.0.0/2 +a:128.0.0.0/2
> > +a:192.0.0.0/2", so it's possible to check for that.
>
> Has anyone verified that spammers are actually doing this yet, and how common
> it
> is? If so, it sounds like a good rule to add to the SPF protocol itself to
> save
> every implementation from having to check on their own.
Just give 0.1 point per SPF-allowed IP address (minus 128 or something).
There
won't be many real mail providers/ISPs left which have more outgoing IP
addresses. And
those get almost no points. Or you have to white-list them anyways (for
whatever reason,
e.g. greylisting and other quirks on their mail setup).
BTW it makes no sense to forbid the (abuse like) above since you can't
really
enforce it: On what condition do you want to say "it's illegal"?
If prefix == n is forbidden, I take n+1 as prefix and duplicate the
number of entries.
Bernd
--
Firmix Software GmbH http://www.firmix.at/
mobil: +43 664 4416156 fax: +43 1 7890849-55
Embedded Linux Development and Services
