You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "A. Schulze" <sc...@andreasschulze.de> on 2015/04/23 19:24:08 UTC
v=spf1 +all
Hello,
I wrote a little patch for the SPF plugin to detect domains
authenticating any IP by SPF.
Usage:
local.cf
header SPF_PASS_PLUSALL eval:check_for_spf_pass_plusall()
header SPF_HELO_PASS_PLUSALL
eval:check_for_spf_helo_pass_plusall()
describe SPF_PASS_PLUSALL SPF: SPF record allow any sender
describe SPF_HELO_PASS_PLUSALL SPF: SPF record allow any HELO
lang de describe SPF_PASS_PLUSALL SPF: SPF-Datensatz erlaubt
beliebige Senderechner
lang de describe SPF_HELO_PASS_PLUSALL SPF: SPF-Datensatz erlaubt
beliebige HELO-Namen
score SPF_PASS_PLUSALL 0.001
score SPF_HELO_PASS_PLUSALL 0.001
Unfortunately I found also domains not really sending spam use "+all" ¹)
Any comments?
Andreas
¹)
https://listi.jpberlin.de/pipermail/postfixbuch-users/2015-April/062921.html
Re: v=spf1 +all
Posted by RW <rw...@googlemail.com>.
On Fri, 24 Apr 2015 15:38:15 +0200
Reindl Harald wrote:
>
> Am 24.04.2015 um 15:22 schrieb Dianne Skoll:
> > Spammers often register and use throwaway domains. And check how
> > the exists: mechanism works
>
> well, and how becomes SPF part of the game in case of a throw-away
> domain as long as "score SPF_NONE 0" - why in the world should a
> spammer add a TXT record to a throw-away domain?
Not everyone uses SpamAssassin.
Re: v=spf1 +all
Posted by Dianne Skoll <df...@roaringpenguin.com>.
On Fri, 24 Apr 2015 15:55:50 +0200
Reindl Harald <h....@thelounge.net> wrote:
> and how does that care a SA setup?
It probably doesn't seriously affect a default SA setup, but I have
quite a few customers who (despite my warnings) knock off a couple of points
on SPF "pass" for any domain.
Also, as someone else mentioned, a lot of SA rules include __NOT_SPOOFED
which fires on valid SPF. So even default SA installations are affected
somewhat.
Regards,
Dianne.
Re: v=spf1 +all
Posted by Dianne Skoll <df...@roaringpenguin.com>.
On Fri, 24 Apr 2015 17:03:11 +0200
Reindl Harald <h....@thelounge.net> wrote:
> besides that i am responsible for a single domain with currently
> 12000 users and the usernumber don't matter because it don't say
> anything about your insight it's pointless what spammers do and don't
> do
OK.
You essentially said: "+all is pointless for spammers because I'm smart
and that wouldn't fool me."
Well, not all anti-spam filters are run by Reindl-class geniuses, so just
because you know all about fighting spam, it doesn't mean you can make
blanket statements about what makes sense for spammers.
Spammers obviously feel it *does* make sense to register domains that
pass SPF because we see that all the time. If it really didn't make sense,
market forces would dictate that spammers stop doing it because it wouldn't
be cost-effective.
I know you will reply because misunderstood high-IQ geniuses generally
like to have the last word. So go ahead and have the last word because
I think I've beaten this topic to death.
Regards,
Dianne.
Re: v=spf1 +all
Posted by Reindl Harald <h....@thelounge.net>.
Am 24.04.2015 um 16:53 schrieb Dianne Skoll:
> On Fri, 24 Apr 2015 16:40:07 +0200
> Reindl Harald <h....@thelounge.net> wrote:
>
>> WTF read the thread and context - i just statet "I wonder how long
>> until spammers use: v=spf1 ip4:0.0.0.0/1 ip4:128.0.0.0/1 -all" makes
>> no sense for spammers, not more and not less
>
> It makes plenty of sense. We filter spam for hundreds of thousands of
> end users and I think we're in a better position than you to know what
> spammers do and don't do
besides that i am responsible for a single domain with currently 12000
users and the usernumber don't matter because it don't say anything
about your insight it's pointless what spammers do and don't do
the only relevant question is could the achieve anything with it and the
anser to the question above is simply "no" - and to "we're in a better
position than you to know" - well given "I wonder how long until" in
your oginal question i referred to they don't do it now
so what's the purpose of that stupid dicussion now even going in the
direction "my setup is bigger than yours" at all? my expierience is that
the same amount a setup grows the personal knowledge of the involved
people about it goes down, so don't try to impress me with "i am bigger
than you"
Re: v=spf1 +all
Posted by Dianne Skoll <df...@roaringpenguin.com>.
On Fri, 24 Apr 2015 16:40:07 +0200
Reindl Harald <h....@thelounge.net> wrote:
> WTF read the thread and context - i just statet "I wonder how long
> until spammers use: v=spf1 ip4:0.0.0.0/1 ip4:128.0.0.0/1 -all" makes
> no sense for spammers, not more and not less
It makes plenty of sense. We filter spam for hundreds of thousands of
end users and I think we're in a better position than you to know what
spammers do and don't do.
Regards,
Dianne.
Re: v=spf1 +all
Posted by Reindl Harald <h....@thelounge.net>.
Am 24.04.2015 um 16:35 schrieb Matus UHLAR - fantomas:
>> Am 24.04.2015 um 16:11 schrieb Matus UHLAR - fantomas:
>>> SA setup will detect such domains and will score mail positively.
>>> Is there something other to explain?
>
> On 24.04.15 16:16, Reindl Harald wrote:
>> i don't really and everybody who pretends the opposite should be quiet
>> in the future when it comes to highly false positive prone rules with
>> scores of 1.5 or even higher
>
> Have you lowered _all_ scores to be below 1.5?
> like BAYES_99 or DEAR_FRIEND ?
> There's plenty of them:
it talk about rules hit *a single* spam message which would have been
caught by other rules too and on the other side a lot of ham mails like
RCVD_ILLEGAL_IP where people always argue "1.5 points is not a FP"
> grep -hr '^score'
> /var/lib/spamassassin/3.003002/updates_spamassassin_org | egrep -c
> '(1[5-9]|[2-9]|[1-9]0)\.'
> 288
>
> Have you already implemented the SPF_PASS_PLUSALL to see how much of false
> positives it gives?
>
> BTW, default proposed score for SPF_PASS_PLUSALL was 0.001 so what
> exactly are you complaining about?
WTF read the thread and context - i just statet "I wonder how long until
spammers use: v=spf1 ip4:0.0.0.0/1 ip4:128.0.0.0/1 -all" makes no sense
for spammers, not more and not less
Re: v=spf1 +all
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>Am 24.04.2015 um 16:11 schrieb Matus UHLAR - fantomas:
>>SA setup will detect such domains and will score mail positively.
>>Is there something other to explain?
On 24.04.15 16:16, Reindl Harald wrote:
>i don't really and everybody who pretends the opposite should be
>quiet in the future when it comes to highly false positive prone
>rules with scores of 1.5 or even higher
Have you lowered _all_ scores to be below 1.5?
like BAYES_99 or DEAR_FRIEND ?
There's plenty of them:
grep -hr '^score' /var/lib/spamassassin/3.003002/updates_spamassassin_org | egrep -c '(1[5-9]|[2-9]|[1-9]0)\.'
288
Have you already implemented the SPF_PASS_PLUSALL to see how much of false
positives it gives?
BTW, default proposed score for SPF_PASS_PLUSALL was 0.001 so what exactly are
you complaining about?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?
Re: v=spf1 +all
Posted by Reindl Harald <h....@thelounge.net>.
Am 24.04.2015 um 16:11 schrieb Matus UHLAR - fantomas:
>>> On Fri, 24 Apr 2015 15:38:15 +0200
>>> Reindl Harald <h....@thelounge.net> wrote:
>>>> well, and how becomes SPF part of the game in case of a throw-away
>>>> domain as long as "score SPF_NONE 0" - why in the world should a
>>>> spammer add a TXT record to a throw-away domain?
>
>> Am 24.04.2015 um 15:50 schrieb Dianne Skoll:
>>> Ummm.... are you really that unclear on the concept? I'll explain it
>>> carefully:
>>>
>>> Spammers know that (some) filters filter less aggressively than normal
>>> on an SPF "pass". So they register a throwaway domain and use that
>>> in the envelope sender. They publish a TXT record for that domain to
>>> ensure they get an SPF pass.
>>>
>>> There. That wasn't so hard, was it?
>
> On 24.04.15 15:55, Reindl Harald wrote:
>> and how does that care a SA setup?
>
> SA setup will detect such domains and will score mail positively.
> Is there something other to explain?
i don't really and everybody who pretends the opposite should be quiet
in the future when it comes to highly false positive prone rules with
scores of 1.5 or even higher
Re: v=spf1 +all
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>>On Fri, 24 Apr 2015 15:38:15 +0200
>>Reindl Harald <h....@thelounge.net> wrote:
>>>well, and how becomes SPF part of the game in case of a throw-away
>>>domain as long as "score SPF_NONE 0" - why in the world should a
>>>spammer add a TXT record to a throw-away domain?
>Am 24.04.2015 um 15:50 schrieb Dianne Skoll:
>>Ummm.... are you really that unclear on the concept? I'll explain it
>>carefully:
>>
>>Spammers know that (some) filters filter less aggressively than normal
>>on an SPF "pass". So they register a throwaway domain and use that
>>in the envelope sender. They publish a TXT record for that domain to
>>ensure they get an SPF pass.
>>
>>There. That wasn't so hard, was it?
On 24.04.15 15:55, Reindl Harald wrote:
>and how does that care a SA setup?
SA setup will detect such domains and will score mail positively.
Is there something other to explain?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good.
Re: v=spf1 +all
Posted by Reindl Harald <h....@thelounge.net>.
Am 24.04.2015 um 15:50 schrieb Dianne Skoll:
> On Fri, 24 Apr 2015 15:38:15 +0200
> Reindl Harald <h....@thelounge.net> wrote:
>
>> well, and how becomes SPF part of the game in case of a throw-away
>> domain as long as "score SPF_NONE 0" - why in the world should a
>> spammer add a TXT record to a throw-away domain?
>
> Ummm.... are you really that unclear on the concept? I'll explain it
> carefully:
>
> Spammers know that (some) filters filter less aggressively than normal
> on an SPF "pass". So they register a throwaway domain and use that
> in the envelope sender. They publish a TXT record for that domain to
> ensure they get an SPF pass.
>
> There. That wasn't so hard, was it?
and how does that care a SA setup?
it's that filters fault to score SPF pass lower instead only penalty SPF
fail since *most* spam making it through the filters before SA anyways
has SPF_PASS and comes from gmail, hotmail and other freemail providers
score ENV_AND_HDR_SPF_MATCH -0.5
score SPF_NONE 0
score SPF_HELO_NONE 0
score SPF_PASS -0.001
score SPF_HELO_PASS -0.001
score SPF_FAIL 0 0.919 0 0.001 # n=0 n=2
score SPF_HELO_FAIL 0 0.001 0 0.001 # n=0 n=2
score SPF_HELO_NEUTRAL 0 0.001 0 0.112 # n=0 n=2
score SPF_HELO_SOFTFAIL 0 0.896 0 0.732 # n=0 n=2
score SPF_NEUTRAL 0 0.652 0 0.779 # n=0 n=2
score SPF_SOFTFAIL 0 0.972 0 0.665 # n=0 n=2
score FROM_MISSP_SPF_FAIL 0.001 1.000 0.001 1.000
score TO_EQ_FM_DOM_SPF_FAIL 0.001 0.001 0.001 0.001
score TO_EQ_FM_SPF_FAIL 0.001 0.001 0.001 0.001
Re: v=spf1 +all
Posted by Dianne Skoll <df...@roaringpenguin.com>.
On Fri, 24 Apr 2015 15:38:15 +0200
Reindl Harald <h....@thelounge.net> wrote:
> well, and how becomes SPF part of the game in case of a throw-away
> domain as long as "score SPF_NONE 0" - why in the world should a
> spammer add a TXT record to a throw-away domain?
Ummm.... are you really that unclear on the concept? I'll explain it
carefully:
Spammers know that (some) filters filter less aggressively than normal
on an SPF "pass". So they register a throwaway domain and use that
in the envelope sender. They publish a TXT record for that domain to
ensure they get an SPF pass.
There. That wasn't so hard, was it?
Regards,
Dianne.
Re: v=spf1 +all
Posted by Joe Quinn <jq...@pccc.com>.
On 4/24/2015 9:38 AM, Reindl Harald wrote:
>
> Am 24.04.2015 um 15:22 schrieb Dianne Skoll:
>> On Fri, 24 Apr 2015 15:17:45 +0200
>> Reindl Harald <h....@thelounge.net> wrote:
>>
>>>> v=spf1 exists:gmail.com -all
>>
>>> makes no sense - the spammer don't own the domain in most cases and
>>> if they do then they just don't add a SPF policy to use it with
>>> infected clients
>>
>> Spammers often register and use throwaway domains. And check how the
>> exists: mechanism works
>
> well, and how becomes SPF part of the game in case of a throw-away
> domain as long as "score SPF_NONE 0" - why in the world should a
> spammer add a TXT record to a throw-away domain?
>
>
Because passing SPF causes other checks to not trigger. For instance,
KAM.cf has a lot of rules that meta on KAM_LAZY_DOMAIN_SECURITY. The
default spamassassin rules also meta extensively on SPF failure, via
__NOT_SPOOFED.
Re: v=spf1 +all
Posted by Reindl Harald <h....@thelounge.net>.
Am 24.04.2015 um 15:22 schrieb Dianne Skoll:
> On Fri, 24 Apr 2015 15:17:45 +0200
> Reindl Harald <h....@thelounge.net> wrote:
>
>>> v=spf1 exists:gmail.com -all
>
>> makes no sense - the spammer don't own the domain in most cases and
>> if they do then they just don't add a SPF policy to use it with
>> infected clients
>
> Spammers often register and use throwaway domains. And check how the
> exists: mechanism works
well, and how becomes SPF part of the game in case of a throw-away
domain as long as "score SPF_NONE 0" - why in the world should a spammer
add a TXT record to a throw-away domain?
Re: v=spf1 +all
Posted by Dianne Skoll <df...@roaringpenguin.com>.
On Fri, 24 Apr 2015 15:17:45 +0200
Reindl Harald <h....@thelounge.net> wrote:
> > v=spf1 exists:gmail.com -all
> makes no sense - the spammer don't own the domain in most cases and
> if they do then they just don't add a SPF policy to use it with
> infected clients
Spammers often register and use throwaway domains. And check how the
exists: mechanism works.
Regards,
Dianne.
Re: v=spf1 +all
Posted by Reindl Harald <h....@thelounge.net>.
Am 24.04.2015 um 15:13 schrieb Dianne Skoll:
> On Fri, 24 Apr 2015 13:13:12 +0200
> Benny Pedersen <me...@junc.eu> wrote:
>
>> thanks for update, nice work
>
> Yes. I wonder how long until spammers use:
>
> v=spf1 ip4:0.0.0.0/1 ip4:128.0.0.0/1 -all
>
> or even:
>
> v=spf1 exists:gmail.com -all
makes no sense - the spammer don't own the domain in most cases and if
they do then they just don't add a SPF policy to use it with infected
clients
Re: v=spf1 +all
Posted by Joe Quinn <jq...@pccc.com>.
On 4/24/2015 11:23 AM, Dianne Skoll wrote:
> On Fri, 24 Apr 2015 16:20:41 +0100
> Paul Stead <pa...@zeninternet.co.uk> wrote:
>
>> I've had thoughts of an extension which calculates the number of IP
>> addresses specified in an SPF record, then calculating the % of
>> world-wide addresses this SPF declares... I don't seem to be able to
>> bend the Perl SPF module to spit out any numbers etc so seems it would
>> have to be coded separately
> Someone sent me off-list some Perl that does that. I haven't looked closely
> at it. If that person is on this list, maybe he'll send it on-list?
>
> Regards,
>
> Dianne.
I suppose it's safe enough to post publicly. Be aware that it's just a
proof of concept and not tested thoroughly enough to guarantee it's
correct, performant, or even if it terminates in all cases.
Theoretically, it does the following
detect +all and ?all (both of which specify to deliver without marking)
detect coverage of the IPv4 and v6 address spaces (by /16)
detect when followed records exceed a max depth
detect when an SPF record loops on itself
detect uninterpolated exists
detect syntax errors in exists macros
It also stores IP coverage as a bitmask, so it should measure somewhere
around 16k - 20k of memory consumption as well. Script is attached,
anyone can feel free to adapt it for SA.
Re: v=spf1 +all
Posted by Dianne Skoll <df...@roaringpenguin.com>.
On Fri, 24 Apr 2015 16:20:41 +0100
Paul Stead <pa...@zeninternet.co.uk> wrote:
> I've had thoughts of an extension which calculates the number of IP
> addresses specified in an SPF record, then calculating the % of
> world-wide addresses this SPF declares... I don't seem to be able to
> bend the Perl SPF module to spit out any numbers etc so seems it would
> have to be coded separately
Someone sent me off-list some Perl that does that. I haven't looked closely
at it. If that person is on this list, maybe he'll send it on-list?
Regards,
Dianne.
Re: v=spf1 +all
Posted by Paul Stead <pa...@zeninternet.co.uk>.
On 24/04/15 14:13, Dianne Skoll wrote:
> On Fri, 24 Apr 2015 13:13:12 +0200
> Benny Pedersen <me...@junc.eu> wrote:
>
>> thanks for update, nice work
>
> Yes. I wonder how long until spammers use:
>
> v=spf1 ip4:0.0.0.0/1 ip4:128.0.0.0/1 -all
>
> or even:
>
> v=spf1 exists:gmail.com -all
I've had thoughts of an extension which calculates the number of IP
addresses specified in an SPF record, then calculating the % of
world-wide addresses this SPF declares... I don't seem to be able to
bend the Perl SPF module to spit out any numbers etc so seems it would
have to be coded separately
Paul
--
Paul Stead
Systems Engineer
Zen Internet
Re: v=spf1 +all
Posted by Dianne Skoll <df...@roaringpenguin.com>.
On Fri, 24 Apr 2015 13:13:12 +0200
Benny Pedersen <me...@junc.eu> wrote:
> thanks for update, nice work
Yes. I wonder how long until spammers use:
v=spf1 ip4:0.0.0.0/1 ip4:128.0.0.0/1 -all
or even:
v=spf1 exists:gmail.com -all
Unfortunately, the SPF spec makes it tricky to chase down all possible
equivalencies to +all. Bah.
Regards,
Dianne.
Re: v=spf1 +all
Posted by Benny Pedersen <me...@junc.eu>.
A. Schulze skrev den 2015-04-23 19:24:
> I wrote a little patch for the SPF plugin to detect domains
> authenticating any IP by SPF.
thanks for update, nice work
> Unfortunately I found also domains not really sending spam use "+all"
> ¹)
> Any comments?
in spamassassin +all will not inhirit whitelist_from_spf
if the plusall domains start spaming it will be added here to
blacklist_from
Re: v=spf1 +all
Posted by Reindl Harald <h....@thelounge.net>.
Am 23.04.2015 um 19:24 schrieb A. Schulze:
> Hello,
>
> I wrote a little patch for the SPF plugin to detect domains
> authenticating any IP by SPF.
> Usage:
>
> local.cf
> header SPF_PASS_PLUSALL
> eval:check_for_spf_pass_plusall()
> header SPF_HELO_PASS_PLUSALL
> eval:check_for_spf_helo_pass_plusall()
> describe SPF_PASS_PLUSALL SPF: SPF record allow any sender
> describe SPF_HELO_PASS_PLUSALL SPF: SPF record allow any HELO
> lang de describe SPF_PASS_PLUSALL SPF: SPF-Datensatz erlaubt
> beliebige Senderechner
> lang de describe SPF_HELO_PASS_PLUSALL SPF: SPF-Datensatz erlaubt
> beliebige HELO-Namen
> score SPF_PASS_PLUSALL 0.001
> score SPF_HELO_PASS_PLUSALL 0.001
>
> Unfortunately I found also domains not really sending spam use "+all" ¹)
> Any comments?
shouldn't that be combined in SPF_NONE what it is practically instead a
new tag / rule?
Re: v=spf1 +all
Posted by Joe Quinn <jq...@pccc.com>.
On 4/23/2015 1:24 PM, A. Schulze wrote:
> Hello,
>
> I wrote a little patch for the SPF plugin to detect domains
> authenticating any IP by SPF.
> Usage:
>
> local.cf
> header SPF_PASS_PLUSALL eval:check_for_spf_pass_plusall()
> header SPF_HELO_PASS_PLUSALL eval:check_for_spf_helo_pass_plusall()
> describe SPF_PASS_PLUSALL SPF: SPF record allow any
> sender
> describe SPF_HELO_PASS_PLUSALL SPF: SPF record allow any HELO
> lang de describe SPF_PASS_PLUSALL SPF: SPF-Datensatz erlaubt
> beliebige Senderechner
> lang de describe SPF_HELO_PASS_PLUSALL SPF: SPF-Datensatz erlaubt
> beliebige HELO-Namen
> score SPF_PASS_PLUSALL 0.001
> score SPF_HELO_PASS_PLUSALL 0.001
>
> Unfortunately I found also domains not really sending spam use "+all" ¹)
> Any comments?
>
> Andreas
>
>
> ¹)
> https://listi.jpberlin.de/pipermail/postfixbuch-users/2015-April/062921.html
>
>
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7099#c4
Over the past 10 days on a busy production server, we've seen 7164 hits,
of which only 36 are ham.