You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Philip Prindeville <ph...@redfish-solutions.com> on 2006/03/21 03:30:07 UTC
SPF penetration
Anyone have monthly numbers for the percentages of
sites that have SPF turned on for their incoming messages?
I.e. if you received 1000 messages last month... how many
unique domains were represented, and of those, how many
had SPF enabled? And how many messages turned out to
be spoofed by the SPF failure test?
Thanks,
-Philip
Re: SPF penetration
Posted by Matt Kettler <mk...@evi-inc.com>.
Philip Prindeville wrote:
> Anyone have monthly numbers for the percentages of
> sites that have SPF turned on for their incoming messages?
>
> I.e. if you received 1000 messages last month... how many
> unique domains were represented, and of those, how many
> had SPF enabled? And how many messages turned out to
> be spoofed by the SPF failure test?
>
Domains, not sure, but I can give you some numbers on messages.
Real numbers from last week:
Total messages scanned by SA:
19268
Number of messages matching SPF_FAIL:
89
Number of messages matching SPF_SOFTFAIL
493
Number of messages matching SPF_NEUTRAL
200
Number of messages matching SPF_PASS
6064
Note however: I greylist most dynamic hosts, so I'll get a lot less SPF failures
than most folks.
Even so, only 31% of my mail comes from domains that support SPF.
Strangely, the SPF_FAIL matches don't come from a small number of domains.. At
casual glance, there's not that many duplicates. Some of them are even SPF
failures for SURBL listed spam domains!
Here's a small sampling of domains that the 89 spf failures were spread across:
passport.yandex.ru
gmx.ch
tm.net.my
tlen.pl
charter.com
zx.com
mail.offermonkey-zz.com
fastnbetter.com
mail.rick-list.net
buss.com
angelfire.com
Here's some SPF_FAILs that were forging domains listed in URIBLs (munged to
avoid being bounced by the list, since even mentioning a domain that's on a lot
(ie: 4) of SURBL lists is enough score to break the list's 10-point limit)
ihllywd*MUNGED-WS_BLACK*.com
sureroad*MUNGED-WS_BLACK*.com
outpostsmem*MUNGED-WS_OB*.com
dizclck*MUNGED-WS_BLACK*.com
gatebuys*MUNGED-WS_BLACK*.com
hollygwired*MUNGED-WS*.com
19co19*MUNGED-BLACK*.com
17co17*MUNGED-BLACK*.com
Note: I munged them with the names of the URIBLs that list them.
BLACK is uribl.com's black
WS and OB are the respective lists on surbl.org
Re: SPF penetration
Posted by jdow <jd...@earthlink.net>.
From: "Michael Monnerie" <m....@zmi.at>
> And if you don't care about spoofs, don't check it.
Not long ago I learned about a malformed spf spoof trick that allowed
spam through from addresses not normally allowed to send it directly.
{^_^}
Re: SPF penetration
Posted by Michael Monnerie <m....@zmi.at>.
On Dienstag, 21. März 2006 21:42 mouss wrote:
> - if you wanna add spf records, do
> - if you wanna check spf, do
And if you don't care about spoofs, don't check it.
mfg zmi
--
// Michael Monnerie, Ing.BSc --- it-management Michael Monnerie
// http://zmi.at Tel: 0660/4156531 Linux 2.6.11
// PGP Key: "lynx -source http://zmi.at/zmi2.asc | gpg --import"
// Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879
// Keyserver: www.keyserver.net Key-ID: 0x70545879
Re: SPF penetration
Posted by mouss <us...@free.fr>.
Michael Monnerie a écrit :
> I bet. SPF is NOT a means to check whether it's SPAM or HAM. It can just
> tell you if a sender host is permitted to send e-mail for the given
> domain, so you can prevent *forgery* of e-mails, which I find
> important. I don't want others to be able to send from @zmi.at, and
> every good mail server that checks SPF will never get a spoof.
>
maybe, but my server won't care. I will accept mail from @zmi.at from
any host (I'll do scan it for spam, but I don't care where it came from,
nor positively, nor negatively), and if the sender is one of my users,
I'll forward it to you. if you're not happy, block list me.
Let's "balkanise" the internet... but let's all play this game ;-p
- if you wanna add spf records, do
- if you wanna check spf, do
but that's all.
Re: SPF penetration
Posted by Michael Monnerie <m....@zmi.at>.
On Dienstag, 21. März 2006 06:28 jdow wrote:
> I'd hazard a guess that there is about as much spam that passes SPF
> tests as there is ham that passes SPF tests.
I bet. SPF is NOT a means to check whether it's SPAM or HAM. It can just
tell you if a sender host is permitted to send e-mail for the given
domain, so you can prevent *forgery* of e-mails, which I find
important. I don't want others to be able to send from @zmi.at, and
every good mail server that checks SPF will never get a spoof.
mfg zmi
--
// Michael Monnerie, Ing.BSc --- it-management Michael Monnerie
// http://zmi.at Tel: 0660/4156531 Linux 2.6.11
// PGP Key: "lynx -source http://zmi.at/zmi2.asc | gpg --import"
// Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879
// Keyserver: www.keyserver.net Key-ID: 0x70545879
Re: SPF penetration
Posted by Michael Monnerie <m....@zmi.at>.
On Mittwoch, 22. März 2006 00:11 Sander Holthaus wrote:
> and it wouldn't surprise me
> if actively rejecting SPF-fails has the similar effects as strict
> RFC-enforcement or double reverse DNS-lookup. Lots less spam and lots
> more false positives.
No, because
1) by forcing strict RFC, lots of HAM will be rejected, because lots of
mailserver server is broken
2) 2revDNS just checks for the names
whereas
3) SPF is quite easy to setup, and easy to check and control. Mailserver
software is not touched, and it "just" breaks forwarding, so you have
to allow all hosts that forward for your domain.
That said, today I had another strange effect with SPF, where a mailing
list on an SPF domain forwarded to it's users, some of them having
redirections to other hosts which rejected the mail. But that was a
misconfig, not the fault of SPF.
I use SPF since quite a while, and it works well. I just got one report
that mpay24.com has a mail list server which doesn't retry after a 4xx,
but that's their problem. I reported them, they ignore it. Thats life.
mfg zmi
--
// Michael Monnerie, Ing.BSc --- it-management Michael Monnerie
// http://zmi.at Tel: 0660/4156531 Linux 2.6.11
// PGP Key: "lynx -source http://zmi.at/zmi2.asc | gpg --import"
// Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879
// Keyserver: www.keyserver.net Key-ID: 0x70545879
Re: SPF penetration
Posted by Sander Holthaus <in...@orangexl.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michael Monnerie wrote:
> On Dienstag, 21. März 2006 21:35 mouss wrote:
>> I'd follow. I even think there are more spammers with good spf
>> than legit' people with spf.
>
> Could also be. SPF still doesn't help against SPAM, just against
> forgery. Where SPAM often tries to forge, but thats another story.
>
>> one thing we know: spammers don't care if spf breaks
>> forwarding...
>
> We have to adopt. As somebody mentioned in another thread: there
> was a time, when open relays where considered a good thing. Then
> came SPAM.
>
> mfg zmi
SPF is just another tool to help against spam/phising/virusses, but
that is it. It won't or can't stop them, and it wouldn't surprise me
if actively rejecting SPF-fails has the similar effects as strict
RFC-enforcement or double reverse DNS-lookup. Lots less spam and lots
more false positives.
Kind regards,
Sander Holthaus
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)
iD8DBQFEIIgwVf373DysOTURAvNHAKCbMYrYRR5Ei7Zrwbi+sDsEb4ru0ACdEu9Z
cmlVUP4MFEXf4bjtL6Avw28=
=o24w
-----END PGP SIGNATURE-----
Re: SPF penetration
Posted by Michael Monnerie <m....@zmi.at>.
On Dienstag, 21. März 2006 21:35 mouss wrote:
> I'd follow. I even think there are more spammers with good spf than
> legit' people with spf.
Could also be. SPF still doesn't help against SPAM, just against
forgery. Where SPAM often tries to forge, but thats another story.
> one thing we know: spammers don't care if spf breaks forwarding...
We have to adopt. As somebody mentioned in another thread: there was a
time, when open relays where considered a good thing. Then came SPAM.
mfg zmi
--
// Michael Monnerie, Ing.BSc --- it-management Michael Monnerie
// http://zmi.at Tel: 0660/4156531 Linux 2.6.11
// PGP Key: "lynx -source http://zmi.at/zmi2.asc | gpg --import"
// Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879
// Keyserver: www.keyserver.net Key-ID: 0x70545879
Re: SPF penetration
Posted by mouss <us...@free.fr>.
jdow a écrit :
> I'd hazard a guess that there is about as much spam that passes SPF tests
> as there is ham that passes SPF tests.
>
I'd follow. I even think there are more spammers with good spf than
legit' people with spf.
> At least in the case of spam it means the blacklists mean something.
>
one thing we know: spammers don't care if spf breaks forwarding...
Re: SPF penetration
Posted by jdow <jd...@earthlink.net>.
From: "Philip Prindeville" <ph...@redfish-solutions.com>
> Anyone have monthly numbers for the percentages of
> sites that have SPF turned on for their incoming messages?
>
> I.e. if you received 1000 messages last month... how many
> unique domains were represented, and of those, how many
> had SPF enabled? And how many messages turned out to
> be spoofed by the SPF failure test?
I'd hazard a guess that there is about as much spam that passes SPF tests
as there is ham that passes SPF tests.
At least in the case of spam it means the blacklists mean something.
{o.o}