You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by John Hardin <jo...@aproposretail.com> on 2004/09/11 01:52:02 UTC
SPF and spammers
A thought: now that spammers are using SPF to "legitimize" their email,
could *we* use it as a means to shut them down sooner?
I.E.: get an email that passes SPF, and scores high. Look at the
relevant SPF record and blacklist/high-score all of the hosts it states
are valid sources for that sender domain.
Well? FP problems maybe. Sufficient benefit to pursue?
--
John Hardin KA7OHZ <jo...@aproposretail.com>
Internal Systems Administrator voice: (425) 672-1304
Apropos Retail Management Systems, Inc. fax: (425) 672-0192
-----------------------------------------------------------------------
If you smash a computer to bits with a mallet, that appears to count
as encryption in the state of Nevada.
- CRYPTO-GRAM 12/2001
-----------------------------------------------------------------------
Re: SPF and spammers
Posted by John Hardin <jo...@aproposretail.com>.
On Fri, 2004-09-10 at 17:12, Kelson wrote:
> John Hardin wrote:
> > I.E.: get an email that passes SPF, and scores high. Look at the
> > relevant SPF record and blacklist/high-score all of the hosts it states
> > are valid sources for that sender domain.
>
> Bad, *bad* idea. You're inviting DOSes. Given that the spammer has
> control of his own SPF record, he can list anything he wants there --
> say, 3 of his own servers followed by *Yahoo's* mail servers. Bang,
> he's tricked you into blacklisting Yahoo.
...and manual vetting would be an unacceptable amount of work for small
gain.
Okay, idea withdrawn. I guess getting spammers to shoot themselves won't
be quite *that* easy... :)
--
John Hardin KA7OHZ <jo...@aproposretail.com>
Internal Systems Administrator voice: (425) 672-1304
Apropos Retail Management Systems, Inc. fax: (425) 672-0192
-----------------------------------------------------------------------
If you smash a computer to bits with a mallet, that appears to count
as encryption in the state of Nevada.
- CRYPTO-GRAM 12/2001
-----------------------------------------------------------------------
Re: SPF and spammers
Posted by Kelson <ke...@speed.net>.
Steve Bertrand wrote:
> I work for an ISP. My laptop, seldomly moved from the office is
> configured to send out my steve@mydomain.com email through this ISP
> SMTP server. I take my laptop home, which is connected to a different
> SMTP server. Unwittingly, I change the SMTP server to the home ISP's
> server and send out mail (which was always a common practice).
>
> AFAICT, this instance would blacklist me and/or my entire domain
> because of a user mistake...correct? (As it would send my
> steve@domain.com email through a server not listed in our SPF
> records).
It's already been agreed that the proposal to blacklist based on SPF
results is a bad idea.
As for reacting to the SPF result *on a particular message*, it depends
on how you've set up your SPF record. If it's feasible, you can add
your home ISP's mail server to the list of allowed servers (or indicate
that it should be treated as neutral). Alternatively, you can use
SMTP-AUTH to send through the mydomain.com mail server.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: SPF and spammers
Posted by Codger <li...@pmbx.net>.
SPF wouldn't add you to a blacklist since it operates realtime (at the
SMTP level). But just because you log in to your home ISP doesn't mean
you can't send mail through your work ISP if you have SMTP
authentication of course.
In that instance you'll know immediately that your SMTP fails and that
you've got an incorrect configuration. You then correct the SMTP sender
for any particular work email and resend.
FWIW, all of our clients use their boxes remotely since we don't offer
dialup service. They have to do the same thing.
On Sep 13, 2004, at 3:19 PM, Steve Bertrand wrote:
>> But still, my recommendation is to use an SPF pass to decrease the
>> spam
>> score and to not use SFP fails to blacklist.
>
> This is really the first post I've looked at on this thread, but I see
> your point...correct me if I am wrong with this situation:
>
> I work for an ISP. My laptop, seldomly moved from the office is
> configured to send out my steve@mydomain.com email through this ISP
> SMTP server. I take my laptop home, which is connected to a different
> SMTP server. Unwittingly, I change the SMTP server to the home ISP's
> server and send out mail (which was always a common practice).
>
> AFAICT, this instance would blacklist me and/or my entire domain
> because of a user mistake...correct? (As it would send my
> steve@domain.com email through a server not listed in our SPF
> records).
>
> Steve
Kindest regards,
Ron
"What shall we do? What shall we do?" he cried, "Escaping goblins to be
caught by wolves!" - Bilbo Baggins
The Hobbit by J. R. R. Tolkein
http://www.apple.com/trailers/newline/returnoftheking/trailer_large.html
Re: SPF and spammers
Posted by Steve Bertrand <ia...@ibctech.ca>.
> But still, my recommendation is to use an SPF pass to decrease the
> spam
> score and to not use SFP fails to blacklist.
This is really the first post I've looked at on this thread, but I see
your point...correct me if I am wrong with this situation:
I work for an ISP. My laptop, seldomly moved from the office is
configured to send out my steve@mydomain.com email through this ISP
SMTP server. I take my laptop home, which is connected to a different
SMTP server. Unwittingly, I change the SMTP server to the home ISP's
server and send out mail (which was always a common practice).
AFAICT, this instance would blacklist me and/or my entire domain
because of a user mistake...correct? (As it would send my
steve@domain.com email through a server not listed in our SPF
records).
Steve
>
> On Sep 13, 2004, at 1:39 PM, Kelson wrote:
>
>> You're misunderstanding. The suggestion was to take spam that
>> passed
>> SPF, look for the other servers listed in that SPF record, and add
>> those servers to a blacklist.
>>
>> 1. Spam comes in from dirtbag.tld via mail.dirtbag.tld
>> 2. SPF record for dirtbag.tld lists both mail.dirtbag.tld and
>> mail.yahoo.com as valid senders (even though they can't actually
>> send
>> through Yahoo): "v=spf1 a:mail.dirtbag.tld a:mail.yahoo.com -all"
>> 3. Your mail server recognizes that (a) it's spam, and (b) it passes
>> SPF.
>> 4. As per the original suggestion, check that SPF records for
>> blacklist material, and you add mail.dirtbag.tld and mail.yahoo.com
>> to
>> your blacklist.
>> 5. Next time mail comes in from mail.yahoo.com, it's blocked.
>>
>> Of course, there's no reason for spammers to put bogus info in their
>> SPF records *unless* people do this, since if people use it as
>> designed, it won't gain them anything. Although I can see them just
>> putting up "v=spf1 +all" at least short-term so that they can use
>> their usual zombie networks, though at least they'd have to use
>> their
>> own addresses and deal with the bounces themselves.
>>
>
> Kindest regards,
>
> Ron
>
> "What shall we do? What shall we do?" he cried, "Escaping goblins to
> be
> caught by wolves!" - Bilbo Baggins
>
> The Hobbit by J. R. R. Tolkein
> http://www.apple.com/trailers/newline/returnoftheking/trailer_large.html
>
>
Re: SPF and spammers
Posted by Kelson <ke...@speed.net>.
gcirino@cirelle.com wrote:
> It's (SPF)primary purpose is to identify legitimate MTAs and prevent
> the Joe Jobs.
Correct.
> At best, it only allows us to dump mail sent to us by
> someone spoofing our domain and only if it is sent to us.
You don't need SPF for that. There are lots of ways you can dump
incoming mail using your domain that doesn't come through valid
channels, because you already know (in theory) what those channels are.
The benefit of SPF is that *other* people now have the ability to check
for people spoofing your domain. (And from another perspective, you can
check for people spoofing other people's domains.)
> Everyone
> else still gets the junk with the spoofed domain (unless of course
> the are using spfquery or some other SPF mechanism).
And those who *are* checking *can* dump it.
> For the most part and I'd say 99.999 (maybe add more 9's)% of the
> time, the SPF result is "None". You can't do anything effective with
> that.
(I'd dispute this figure unless you rarely get mail from people at AOL,
Earthlink, Gmail, etc.)
It's a network effect: the more people using SPF, the more useful it
becomes. When the only people I knew who had email were my family, and
I lived in the same house, email wasn't very useful. When I went to
college and suddenly all my friends had email, it became very useful.
> Legitimatly, the only result that should get points is a "Fail" all
> others should pass on through, otherwise, you may be bumping up
> scores to give yourself false positives.
I'm inclined to agree here. On the other hand, it may be worth using an
SPF pass as a condition in a metarule that looks at the sending address.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: SPF and spammers
Posted by Codger <li...@pmbx.net>.
Hmmm. I just checked my MTA logs for one six-hour period and have 10
SPF fails so that one in 100,000 can't be accurate.
On Sep 14, 2004, at 9:11 AM, Tom Meunier wrote:
> gcirino@cirelle.com wrote:
>
>> For the most part and I'd say 99.999 (maybe add more 9's)% of the
>>
>> time, the SPF result is "None". You can't do anything effective with
>> that.
>>
> On average, you'll need to receive more than 100,000 emails to receive
> ONE from a domain with an SPF record? Impossible. You get far more
> mail than that from SPF adopters AOL, Earthlink, GMAIL, and let's say
> spamassassin.apache.org or nytimes.com.
> <Bitter because I'm a lame home user now, so I don't have an
> enterprise to play with smtp gateway stats>
>
> --
> -tom
>
>
Kindest regards,
Ron
"What shall we do? What shall we do?" he cried, "Escaping goblins to be
caught by wolves!" - Bilbo Baggins
The Hobbit by J. R. R. Tolkein
http://www.apple.com/trailers/newline/returnoftheking/trailer_large.html
Re: SPF and spammers
Posted by j o a r <jo...@joar.com>.
On 2004-09-14, at 15.11, Tom Meunier wrote:
>> For the most part and I'd say 99.999 (maybe add more 9's)% of the
>>
>> time, the SPF result is "None". You can't do anything effective with
>> that.
>>
> On average, you'll need to receive more than 100,000 emails to receive
> ONE from a domain with an SPF record? Impossible. You get far more
> mail than that from SPF adopters AOL, Earthlink, GMAIL, and let's say
> spamassassin.apache.org or nytimes.com.
> <Bitter because I'm a lame home user now, so I don't have an
> enterprise to play with smtp gateway stats>
These are my stats from yesterday:
none: (85 %)
pass: (8 %)
error: (2 %)
unknown: (1 %)
fail: (1 %)
softfail: (0 %)
neutral: (0 %)
(Note that because of rounding to integer values 0% might not indicate
0 hits.)
j o a r
Re: SPF and spammers
Posted by Tom Meunier <to...@mvps.org>.
gcirino@cirelle.com wrote:
> For the most part and I'd say 99.999 (maybe add more 9's)% of the
>
>time, the SPF result is "None". You can't do anything effective with
>that.
>
>
On average, you'll need to receive more than 100,000 emails to receive
ONE from a domain with an SPF record? Impossible. You get far more
mail than that from SPF adopters AOL, Earthlink, GMAIL, and let's say
spamassassin.apache.org or nytimes.com.
<Bitter because I'm a lame home user now, so I don't have an enterprise
to play with smtp gateway stats>
--
-tom
Re: SPF and spammers
Posted by gc...@cirelle.com.
>
> If the SPF records pass then the blacklisting becomes effective
> since
> spammers can't hide. You could add a small number of points for a
> pass
> in that case of course (or not if you wish). That's in sync with
> SA's
> sum total approach where multifaceted point scoring produces the
> most
> acceptable results overall.
>
> If the SPF records fail (really fail I mean) then the email (at the
> MTA
> SMTP level) is simply rejected and SA would never be invoked.
>
> Kindest regards,
>
> Ron
>
We have been using SPF since March (outside of SA in custom
filtering)via spfquery and as Ron has suggested, email identified
with a "Fail" never goes through our filtering or delivery process
including SA.
We have found SPF to be ineffective for catching spammers in and of
itself.
It's (SPF)primary purpose is to identify legitimate MTAs and prevent
the Joe Jobs. At best, it only allows us to dump mail sent to us by
someone spoofing our domain and only if it is sent to us. Everyone
else still gets the junk with the spoofed domain (unless of course
the are using spfquery or some other SPF mechanism).
For the most part and I'd say 99.999 (maybe add more 9's)% of the
time, the SPF result is "None". You can't do anything effective with
that.
The other results "Pass", "Soft Fail", and "Fail" are very
non-existent as this is still early in the adoption process.
Legitimatly, the only result that should get points is a "Fail" all
others should pass on through, otherwise, you may be bumping up
scores to give yourself false positives.
Just think what would happen if you gave a few points to every email
that did not originate from an MTA with the proper rDNS. Your false
positives would go through the roof.
Also, consider the scenario where an individual has his domain
hosted with "SomeHost" and sends email using his domain name from
"HisCableCo". If the DNS admin doesn't put an SPF entry in the
domain record for "HisCableCo", you will never see a "Pass" for that
individual but more likely will see a "None" and if "HisCableCo"
uses SPF (probably no chance of that), you will get a "Fail".
This discussion has been ongoing on the SPF list.
My 2Bits
Best Regards
Greg
-----------------------------------------
This email was sent using Cirelle Email Services.
"Hosted by Cirelle Enterprises Datacenters"
http://cedata.com/
Re: SPF and spammers
Posted by Codger <li...@pmbx.net>.
On Sep 13, 2004, at 9:22 PM, Bill Landry wrote:
> ----- Original Message -----
> From: "Codger" <li...@pmbx.net>
>
>>
>> If you already use a blacklisting host(s) and also use SPF then the
>> combination would be more effective than either alone, whether the SPF
>> added or removed points even.
>
> I agree that using SPF in concert with other spam filters is a good
> thing
> for additional spam blocking capabilities. But why would you ever
> want to
> deduct points from a spammers e-mail by deducting points for SPF pass,
> especially if you know that more spammers have created SPF records than
> legitimate domains have?
>
If the SPF records pass then the blacklisting becomes effective since
spammers can't hide. You could add a small number of points for a pass
in that case of course (or not if you wish). That's in sync with SA's
sum total approach where multifaceted point scoring produces the most
acceptable results overall.
If the SPF records fail (really fail I mean) then the email (at the MTA
SMTP level) is simply rejected and SA would never be invoked.
Kindest regards,
Ron
"What shall we do? What shall we do?" he cried, "Escaping goblins to be
caught by wolves!" - Bilbo Baggins
The Hobbit by J. R. R. Tolkein
http://www.apple.com/trailers/newline/returnoftheking/trailer_large.html
Re: SPF and spammers
Posted by Bill Landry <bi...@pointshare.com>.
----- Original Message -----
From: "Codger" <li...@pmbx.net>
> But the fact that they do create the SPF records then makes all the
> other rules like SURBL more effective. The strength they have had till
> SPF has been the fact that the could forge domains.
>
> If you already use a blacklisting host(s) and also use SPF then the
> combination would be more effective than either alone, whether the SPF
> added or removed points even.
I agree that using SPF in concert with other spam filters is a good thing
for additional spam blocking capabilities. But why would you ever want to
deduct points from a spammers e-mail by deducting points for SPF pass,
especially if you know that more spammers have created SPF records than
legitimate domains have?
Bill
Re: SPF and spammers
Posted by Codger <li...@pmbx.net>.
But the fact that they do create the SPF records then makes all the
other rules like SURBL more effective. The strength they have had till
SPF has been the fact that the could forge domains.
If you already use a blacklisting host(s) and also use SPF then the
combination would be more effective than either alone, whether the SPF
added or removed points even.
On Sep 13, 2004, at 3:01 PM, Bill Landry wrote:
> ----- Original Message -----
> From: "Codger" <li...@pmbx.net>
> To: "SpamAssassin list" <us...@spamassassin.apache.org>
> Sent: Monday, September 13, 2004 11:51 AM
> Subject: Re: SPF and spammers
>
>
>> But still, my recommendation is to use an SPF pass to decrease the
>> spam
>> score and to not use SFP fails to blacklist.
>
> That would be a very bad idea, since more spammers have created SPF
> records
> than legitimate domains (been lots of information about this in the
> tech
> press lately). I would not give any benefit to SPF pass, but would
> certainly penalize SFP fail.
>
> Bill
>
>
Kindest regards,
Ron
"What shall we do? What shall we do?" he cried, "Escaping goblins to be
caught by wolves!" - Bilbo Baggins
The Hobbit by J. R. R. Tolkein
http://www.apple.com/trailers/newline/returnoftheking/trailer_large.html
Re: SPF and spammers
Posted by Bill Landry <bi...@pointshare.com>.
----- Original Message -----
From: "Codger" <li...@pmbx.net>
To: "SpamAssassin list" <us...@spamassassin.apache.org>
Sent: Monday, September 13, 2004 11:51 AM
Subject: Re: SPF and spammers
> But still, my recommendation is to use an SPF pass to decrease the spam
> score and to not use SFP fails to blacklist.
That would be a very bad idea, since more spammers have created SPF records
than legitimate domains (been lots of information about this in the tech
press lately). I would not give any benefit to SPF pass, but would
certainly penalize SFP fail.
Bill
Re: SPF and spammers
Posted by John Hardin <jo...@aproposretail.com>.
On Mon, 2004-09-13 at 11:51, Codger wrote:
> But still, my recommendation is to use an SPF pass to decrease the spam
> score and to not use SFP fails to blacklist.
You're still misinterpreting my idea.
1) a message passes SPF (sender verified);
2) SA classifies the message as spam;
3) something looks up corresponding SPF record and blacklists or
high-scores the servers listed in the SPF record.
SPF Fails don't enter into it at all.
The assumption was that spammers would list all hosts from which they
send spam, so that would be a way to block them before they started
sending spams.
The FP problem is probably insurmountable, and the gain is too small to
justify manual vetting, and the assumption of spammer stupidity too
optimistic.
--
John Hardin KA7OHZ <jo...@aproposretail.com>
Internal Systems Administrator voice: (425) 672-1304
Apropos Retail Management Systems, Inc. fax: (425) 672-0192
-----------------------------------------------------------------------
If you smash a computer to bits with a mallet, that appears to count
as encryption in the state of Nevada.
- CRYPTO-GRAM 12/2001
-----------------------------------------------------------------------
Re: SPF and spammers
Posted by Codger <li...@pmbx.net>.
But still, my recommendation is to use an SPF pass to decrease the spam
score and to not use SFP fails to blacklist.
On Sep 13, 2004, at 1:39 PM, Kelson wrote:
> You're misunderstanding. The suggestion was to take spam that passed
> SPF, look for the other servers listed in that SPF record, and add
> those servers to a blacklist.
>
> 1. Spam comes in from dirtbag.tld via mail.dirtbag.tld
> 2. SPF record for dirtbag.tld lists both mail.dirtbag.tld and
> mail.yahoo.com as valid senders (even though they can't actually send
> through Yahoo): "v=spf1 a:mail.dirtbag.tld a:mail.yahoo.com -all"
> 3. Your mail server recognizes that (a) it's spam, and (b) it passes
> SPF.
> 4. As per the original suggestion, check that SPF records for
> blacklist material, and you add mail.dirtbag.tld and mail.yahoo.com to
> your blacklist.
> 5. Next time mail comes in from mail.yahoo.com, it's blocked.
>
> Of course, there's no reason for spammers to put bogus info in their
> SPF records *unless* people do this, since if people use it as
> designed, it won't gain them anything. Although I can see them just
> putting up "v=spf1 +all" at least short-term so that they can use
> their usual zombie networks, though at least they'd have to use their
> own addresses and deal with the bounces themselves.
>
Kindest regards,
Ron
"What shall we do? What shall we do?" he cried, "Escaping goblins to be
caught by wolves!" - Bilbo Baggins
The Hobbit by J. R. R. Tolkein
http://www.apple.com/trailers/newline/returnoftheking/trailer_large.html
Re: SPF and spammers
Posted by Kelson <ke...@speed.net>.
Codger wrote:
> I don't think it would make any difference if the spammer listed any
> other servers in HIS DNS SPF records. Your server won't look at his DNS
> for yahoo's SPF records. That's what SPF is all about. It gives the
> owner of the domain name exclusive ability to say who is and is not a
> valid sender for that domain.
You're misunderstanding. The suggestion was to take spam that passed
SPF, look for the other servers listed in that SPF record, and add those
servers to a blacklist.
1. Spam comes in from dirtbag.tld via mail.dirtbag.tld
2. SPF record for dirtbag.tld lists both mail.dirtbag.tld and
mail.yahoo.com as valid senders (even though they can't actually send
through Yahoo): "v=spf1 a:mail.dirtbag.tld a:mail.yahoo.com -all"
3. Your mail server recognizes that (a) it's spam, and (b) it passes SPF.
4. As per the original suggestion, check that SPF records for blacklist
material, and you add mail.dirtbag.tld and mail.yahoo.com to your blacklist.
5. Next time mail comes in from mail.yahoo.com, it's blocked.
Of course, there's no reason for spammers to put bogus info in their SPF
records *unless* people do this, since if people use it as designed, it
won't gain them anything. Although I can see them just putting up
"v=spf1 +all" at least short-term so that they can use their usual
zombie networks, though at least they'd have to use their own addresses
and deal with the bounces themselves.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: Medicine sites
Posted by Simon Gate <si...@noir.se>.
Sense of humor. :)
* jdow <jd...@earthlink.net> [2004-09-11 23:30:06 -0700]:
> <non-poco alert>
> Please do remember that at half the population has an IQ below 100.
> Please also note that most denizens of this list probably fall into
> the above 120 to below infinity crowd. Note also that this does not
> mean they can't get it. It just means there is a serious time lag in
> their thinking processes that may lead to them acting before the
> thinking process completes. This often leads to tragic results. Be
> thankful that they exist. They are well suited to perform jobs that
> would drive most of us utterly starkers within 1 hour. They also provide
> a handy market for old "Gilligan's Island" tapes.
>
> And now that I've let my wretched sense of humor run excess I'll go
> bang my head against my cell's padded wall in penance.
>
> {^_^}
> ----- Original Message -----
> From: "Predrag Lezaic" <pl...@lutefisktechnologies.com>
>
>
> > Are there really people that will buy their medicine from a site with
> > name like this? http://oaktjtxa.efkdblh.info
> >
> > Predrag
> >
> > >
--
Simon Gate
simon@noir.se
Re: Medicine sites
Posted by jdow <jd...@earthlink.net>.
<non-poco alert>
Please do remember that at half the population has an IQ below 100.
Please also note that most denizens of this list probably fall into
the above 120 to below infinity crowd. Note also that this does not
mean they can't get it. It just means there is a serious time lag in
their thinking processes that may lead to them acting before the
thinking process completes. This often leads to tragic results. Be
thankful that they exist. They are well suited to perform jobs that
would drive most of us utterly starkers within 1 hour. They also provide
a handy market for old "Gilligan's Island" tapes.
And now that I've let my wretched sense of humor run excess I'll go
bang my head against my cell's padded wall in penance.
{^_^}
----- Original Message -----
From: "Predrag Lezaic" <pl...@lutefisktechnologies.com>
> Are there really people that will buy their medicine from a site with
> name like this? http://oaktjtxa.efkdblh.info
>
> Predrag
>
> >
Medicine sites
Posted by Predrag Lezaic <pl...@lutefisktechnologies.com>.
Are there really people that will buy their medicine from a site with
name like this? http://oaktjtxa.efkdblh.info
Predrag
>
Re: SPF and spammers
Posted by Codger <li...@pmbx.net>.
On Sep 11, 2004, at 12:06 PM, Tom Meunier wrote:
> If the spammer isn't authoritative for your domain, they can list
> everything in the universe as an MX record and it would never be
> checked. Unless the spammer owns tone of the three name servers that
> is authoritative for bubbanfriends.org, in which case they can do it.
>
> Non-authoritative answer:
> bubbanfriends.org text =
>
> "v=spf1 a mx -all"
>
> bubbanfriends.org nameserver = ns.nanetworks.net
> bubbanfriends.org nameserver = ns1.nanetworks.net
> bubbanfriends.org nameserver = burgers.bubbanfriends.org
Exactly my point.
>
>
> By the way, why are we discussing SPF on a SpamAssassin list? This
> stuff is all probably a FAQ over in SPF-ville.
Because someone was trying to use SPF as a blacklist in SA. An SPF fail
should always be considered better than a blacklisted source, since its
real time and the spammer won't know if you're using it or not.
I use SPF though at the MTA level so SPF fails never get to SA. But
perhaps the lack of an SPF could be pointworthy in SA (or really the
reverse... if there IS an SPF then there is a negative point). This
could be helpful in reducing false positives.
Kindest regards,
Ron
"What shall we do? What shall we do?" he cried, "Escaping goblins to be
caught by wolves!" - Bilbo Baggins
The Hobbit by J. R. R. Tolkein
http://www.apple.com/trailers/newline/returnoftheking/trailer_large.html
Re: SPF and spammers
Posted by Tom Meunier <to...@mvps.org>.
Mike Burger wrote:
>The problem, however, is that SPF's usability also relies on MX records.
>In my case, I have 2 MX records, and my SPF record is set up thusly:
>
>"v=spf1 a mx -all"
>
>Essentially saying that all my MX records are valid senders, as well.
>
>All the spammer has to do is list those servers as MX records (whether or
>not they'll accept inbound mail is irrelevant for the discussion at hand),
>set up their SPF record like above, and essentially create an effective
>DoS for mail from those servers.
>
>
>
If the spammer isn't authoritative for your domain, they can list
everything in the universe as an MX record and it would never be
checked. Unless the spammer owns tone of the three name servers that is
authoritative for bubbanfriends.org, in which case they can do it.
Non-authoritative answer:
bubbanfriends.org text =
"v=spf1 a mx -all"
bubbanfriends.org nameserver = ns.nanetworks.net
bubbanfriends.org nameserver = ns1.nanetworks.net
bubbanfriends.org nameserver = burgers.bubbanfriends.org
By the way, why are we discussing SPF on a SpamAssassin list? This
stuff is all probably a FAQ over in SPF-ville.
--
-tom
Re: SPF and spammers
Posted by Mike Burger <mb...@bubbanfriends.org>.
On Sat, 11 Sep 2004, Codger wrote:
> I don't think it would make any difference if the spammer listed any
> other servers in HIS DNS SPF records. Your server won't look at his DNS
> for yahoo's SPF records. That's what SPF is all about. It gives the
> owner of the domain name exclusive ability to say who is and is not a
> valid sender for that domain.
>
> So an SPF fail is significant and should score so high in and of itself
> that it is essentially a realtime blacklisting without creating a
> realtime blacklist. As to DOS, what more will spammers do anyway that
> they don't already do? You can easily make an SPF failed email just die
> without them even know it!
The problem, however, is that SPF's usability also relies on MX records.
In my case, I have 2 MX records, and my SPF record is set up thusly:
"v=spf1 a mx -all"
Essentially saying that all my MX records are valid senders, as well.
All the spammer has to do is list those servers as MX records (whether or
not they'll accept inbound mail is irrelevant for the discussion at hand),
set up their SPF record like above, and essentially create an effective
DoS for mail from those servers.
--
Mike Burger
http://www.bubbanfriends.org
Visit the Dog Pound II BBS
telnet://dogpound2.citadel.org or http://dogpound2.citadel.org
To be notified of updates to the web site, visit
http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a
message to:
site-update-request@bubbanfriends.org
with a message of:
subscribe
Re: SPF and spammers
Posted by Codger <li...@pmbx.net>.
I don't think it would make any difference if the spammer listed any
other servers in HIS DNS SPF records. Your server won't look at his DNS
for yahoo's SPF records. That's what SPF is all about. It gives the
owner of the domain name exclusive ability to say who is and is not a
valid sender for that domain.
So an SPF fail is significant and should score so high in and of itself
that it is essentially a realtime blacklisting without creating a
realtime blacklist. As to DOS, what more will spammers do anyway that
they don't already do? You can easily make an SPF failed email just die
without them even know it!
On Sep 10, 2004, at 8:12 PM, Kelson wrote:
> John Hardin wrote:
>> A thought: now that spammers are using SPF to "legitimize" their
>> email,
>> could *we* use it as a means to shut them down sooner?
>> I.E.: get an email that passes SPF, and scores high. Look at the
>> relevant SPF record and blacklist/high-score all of the hosts it
>> states
>> are valid sources for that sender domain.
>
> Bad, *bad* idea. You're inviting DOSes. Given that the spammer has
> control of his own SPF record, he can list anything he wants there --
> say, 3 of his own servers followed by *Yahoo's* mail servers. Bang,
> he's tricked you into blacklisting Yahoo.
>
> --
> Kelson Vibber
> SpeedGate Communications <www.speed.net>
>
>
Kindest regards,
Ron
"What shall we do? What shall we do?" he cried, "Escaping goblins to be
caught by wolves!" - Bilbo Baggins
The Hobbit by J. R. R. Tolkein
http://www.apple.com/trailers/newline/returnoftheking/trailer_large.html
Re: SPF and spammers
Posted by Kelson <ke...@speed.net>.
John Hardin wrote:
> A thought: now that spammers are using SPF to "legitimize" their email,
> could *we* use it as a means to shut them down sooner?
>
> I.E.: get an email that passes SPF, and scores high. Look at the
> relevant SPF record and blacklist/high-score all of the hosts it states
> are valid sources for that sender domain.
Bad, *bad* idea. You're inviting DOSes. Given that the spammer has
control of his own SPF record, he can list anything he wants there --
say, 3 of his own servers followed by *Yahoo's* mail servers. Bang,
he's tricked you into blacklisting Yahoo.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: SPF and spammers
Posted by jdow <jd...@earthlink.net>.
From: "John Hardin" <jo...@aproposretail.com>
> A thought: now that spammers are using SPF to "legitimize" their email,
> could *we* use it as a means to shut them down sooner?
>
> I.E.: get an email that passes SPF, and scores high. Look at the
> relevant SPF record and blacklist/high-score all of the hosts it states
> are valid sources for that sender domain.
>
> Well? FP problems maybe. Sufficient benefit to pursue?
>
> --
> John Hardin KA7OHZ <jo...@aproposretail.com>
Get over the concept of using SPF as a validation of anything other than
the address from which the email was sent. Spam filters still have the
responsibility to validate THAT address against spam address lists. SPF
may make this easier because forged addresses go away. That means botnet
spamming will probably cease as well. But the spam filters still need to
decide if a given "yes, indeed, it came from this location" email is from
a spammer location or not.
{^_^}
Re: SPF and spammers
Posted by Satya <sa...@thesatya.com>.
On Sep 10, 2004 at 16:52, John Hardin wrote:
>A thought: now that spammers are using SPF to "legitimize" their email,
>could *we* use it as a means to shut them down sooner?
That's the point, as I understand it.
>I.E.: get an email that passes SPF, and scores high. Look at the
>relevant SPF record and blacklist/high-score all of the hosts it states
>are valid sources for that sender domain.
As Kelson said, this would cause unacceptable FP problems. Unless
someone eyeballed it first.
--
Satya. http://www.thesatya.com/
All wiyht. Rho sritched mg kegtops awound ?