You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by Daniel Quinlan <qu...@pathname.com> on 2005/01/10 01:31:09 UTC

initial analysis of SPF_PASS results

First, large ISPs seem to be the origination point for a *lot* of spam.

Second, here's my list of the domains we could potentially whitelist for
SPF_PASS results (high count, good ratio, not biased towards open source
folks).

0.0000  90      health.webmd.com
0.0000  27      foolsubs.com
0.0000  23      ms3.lga2.nytimes.com (list *.nytimes.com ?)
0.0000  17      match.com
0.0000  9       paypal.com

For a different and even less biased approach, I took the listings with
0.01 or lower S/O ratio and ranked them by SenderBase volume (entries
above 6.0 on the volume scale).  Note that I just extracted
registrar-level domain names from the SPF domain lists, so some of these
are definitely not completely clean or are not immediately
whitelistable.

domain                  volume  whitelist?
--------------------    ------  ----------
ebay.com                7.5     yeah
amazon.com              6.7     yeah
speakeasy.net           6.6
paypal.com              6.6     yeah
msn.com                 6.6
roving.com              6.5
nytimes.com             6.5     yeah
m0.net                  6.5
classmates.com          6.5
exacttarget.com         6.4
sparklist.com           6.2
sourceforge.net         6.1
securityfocus.com       6.1
spamarrest.com          6.0
rm04.net                6.0
redhat.com              6.0
foolsubs.com            6.0     yeah
bluehornet.com          6.0

So, based on all that, I'm thinking we could experimentally add SPF_PASS
whitelists for:

  ebay.com
  amazon.com
  paypal.com
  nytimes.com
  foolsubs.com
  webmd.com
  match.com

I checked NANAE and the above domans seem to be pretty clean and this
jives with my recollection.

-- 
Daniel Quinlan
http://www.pathname.com/~quinlan/

Re: initial analysis of SPF_PASS results

Posted by Daniel Quinlan <qu...@pathname.com>.

> Large ISPs' outbound relays, or direct from their dynamic pools?
> e.g. blueyonder.co.uk list their dyn pools in their SPF record,
> which is unfortunate but legal.

I suspect some of that, plus a lot of whatever bug is causing that AOL
SPF_PASS false match I reported.  That was the first reputatable ISP I
checked for SPF_PASS hits vs. their MAIL FROM in my spam folder, so I
suspect there are a lot more problems that way.

Daniel

-- 
Daniel Quinlan
http://www.pathname.com/~quinlan/