You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Julian Yap <ju...@gmail.com> on 2011/10/05 23:01:12 UTC
Blacklisting based on SPF
I've noticed some trojans with addresses from usps.com slip through.
Does anyone blacklist based on SPF?
I took a look at the source for SpamAssassin/Plugin/SPF.pm but it only has
evaluation rules for whitelisting:
$self->register_eval_rule ("check_for_spf_whitelist_from");
$self->register_eval_rule ("check_for_def_spf_whitelist_from");
Thanks,
Julian
Re: Blacklisting based on SPF
Posted by Benny Pedersen <me...@junc.org>.
On Wed, 5 Oct 2011 11:01:12 -1000, Julian Yap wrote:
> Ive noticed some trojans with addresses from usps.com [1] slip
> through.
ups.com ?
> Does anyone blacklist based on SPF?
not needed since all spf domains is blacklisted, and scored neotral in
spamassassin, until you use whitelist_from_spf or def_whitelist_from_spf
sender email, and it will only gives neative score if its passing
also remember From: is not envelope sender, does spf use that header in
your test ?
if it does then your spf test is brokken
have you set envelope_sender_header in local.cf ?
perldoc Mail::SpamAssassin::Conf
> I took a look at the source for SpamAssassin/Plugin/SPF.pm but it
> only
> has evaluation rules for whitelisting:
> $self->register_eval_rule ("check_for_spf_whitelist_from");
> $self->register_eval_rule ("check_for_def_spf_whitelist_from");
its not needed to have blacklist
Re: Blacklisting based on SPF
Posted by Michael Scheidell <mi...@secnap.com>.
On 10/5/11 5:01 PM, Julian Yap wrote:
> I've noticed some trojans with addresses from usps.com
> <http://usps.com> slip through.
>
> Does anyone blacklist based on SPF?
>
> I took a look at the source for SpamAssassin/Plugin/SPF.pm but it only
> has evaluation rules for whitelisting:
> $self->register_eval_rule ("check_for_spf_whitelist_from");
> $self->register_eval_rule ("check_for_def_spf_whitelist_from");
>
> Thanks,
> Julian
>
I tried blacklist_from *@usps.com with an whitelist_from. (would even
themselves out...)
problem is.. if I send to xmail, and xmail fwds (incorrectly), OR, dns
doesn't answer in time, you lose email.
best to write a metarule. put your def_ whitelist from (7 points), and
set up some metarules.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com/
______________________________________________________________________
Re: Blacklisting based on SPF
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On Wed, 12 Oct 2011 16:08:12 +0200, Matus UHLAR - fantomas wrote:
>>was this changed or you just continue FUDding?
On 12.10.11 16:18, Benny Pedersen wrote:
>From: header is NOT envelope-from header, stop fuding self
From: is _NOT_ "mail from:" and since DKIM has nothing with mail from:,
I don't see how could forwarding break DKIM, unless modifying message
content (From: header) which I was not talking about.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #99999: Out of error messages.
Re: Blacklisting based on SPF
Posted by Benny Pedersen <me...@junc.org>.
On Wed, 12 Oct 2011 16:08:12 +0200, Matus UHLAR - fantomas wrote:
> was this changed or you just continue FUDding?
From: header is NOT envelope-from header, stop fuding self
Re: Blacklisting based on SPF
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On Tue, 11 Oct 2011 17:14:06 +0200, Matus UHLAR - fantomas wrote:
>
>>(and possibly list of forwarders who do not rewrite mail from)
On 11.10.11 21:03, Benny Pedersen wrote:
>breaks dkim, and instalations that use from: as envelope sender
>header ask for troubles
cite from rfc4686:
DKIM operates entirely on the content (body and selected header
fields) of the message, as defined in RFC 2822 [RFC2822]. The
transmission of messages via SMTP, defined in RFC 2821 [RFC2821], and
such elements as the envelope-from and envelope-to addresses and the
HELO domain are not relevant to DKIM verification.
was this changed or you just continue FUDding?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".
Re: Blacklisting based on SPF
Posted by Benny Pedersen <me...@junc.org>.
On Tue, 11 Oct 2011 17:14:06 +0200, Matus UHLAR - fantomas wrote:
> (and possibly list of forwarders who do not rewrite mail from)
breaks dkim, and instalations that use from: as envelope sender header
ask for troubles
Re: Blacklisting based on SPF
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 05.10.11 11:01, Julian Yap wrote:
>I've noticed some trojans with addresses from usps.com slip through.
>
>Does anyone blacklist based on SPF?
According to SPF definition, all mail that fails SPF check, is forged
and therefore it should be rejected (in case of FAIL result), or very
carefully cheked.
In reality, there are problems related to
- mail forwarders who can't tag the mail as forwarded (and thus, they
in fact fake the envelope sender)
- misconfigured SPF and misconfigured mailers of companies who do
not understand the SPF principle and outsource the mailers outside
usually, people do what you want either by defining their own rule,
but as it turns out, having something like SPF blacklist would be a
good idea.
(and possibly list of forwarders who do not rewrite mail from)
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors
Re: Blacklisting based on SPF
Posted by Benny Pedersen <me...@junc.org>.
On Thu, 6 Oct 2011 21:09:59 -0400, David F. Skoll wrote:
> SPF is most effective when used judiciously for specific domains.
> It's
> pretty useless to make blanket SPF rules that cover unknown domains.
whitelist_from_spf rules ? :-)
my rule of thump is:
def_whitelist_from_spf *@example.org
whitelist_from_spf user@example.net
so give more negstive scores to more restricted spf pass
Re: Blacklisting based on SPF
Posted by Benny Pedersen <me...@junc.org>.
On Thu, 6 Oct 2011 22:49:47 -1000, Julian Yap wrote:
> What do your rules look like for this scenario?
blacklist_from *@example.org
whitelist_from_spf *@example.org
adjust so blacklist score will be neotral for spf pass users
dont use *@example.org if you need to have strict whitelist of specific
sender
so if spf fails it will be added blacklist_from score, if spf pass its
neotral score
Re: Blacklisting based on SPF
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Thu, 6 Oct 2011 22:49:47 -1000
Julian Yap <ju...@gmail.com> wrote:
> What do your rules look like for this scenario? [blocking for SPF
> fail for select domains.]
Ah, well. We don't implement those policies with SpamAssassin, so I can't
post anything useful.
Regards,
David.
Re: Blacklisting based on SPF
Posted by Ned Slider <ne...@unixmail.co.uk>.
On 07/10/11 13:27, Daniel McDonald wrote:
>
> Something like this Unverified Yahoo rule I shameless stole from Mark
> Martinec:
>
I have some similar rules...
> header __L_FROM_Y1 From:addr =~ m{[@.]yahoo\.com$}i
> header __L_FROM_Y2 From:addr =~ m{\@yahoo\.com\.(ar|br|cn|hk|my|sg)$}i
> header __L_FROM_Y3 From:addr =~ m{\@yahoo\.co\.(id|in|jp|nz|uk)$}i
> header __L_FROM_Y4 From:addr =~
> m{\@yahoo\.(ca|de|dk|es|fr|gr|ie|it|pl|se)$}i
and thought I'd share my updated list of Yahoo TLDs as you're missing a few:
header __LOCAL_FROM_YAHOO1 From:addr =~
/\@yahoo\.com\.(ar|br|cn|hk|mx|my|ph|sg)$/i
header __LOCAL_FROM_YAHOO2 From:addr =~
/\@yahoo\.co\.(id|in|jp|nz|th|uk)$/i
header __LOCAL_FROM_YAHOO3 From:addr =~
/\@yahoo\.(ca|cn|de|dk|es|fr|gr|ie|in|it|pl|ru|se)$/i
Re: Blacklisting based on SPF
Posted by Daniel McDonald <da...@austinenergy.com>.
On 10/7/11 3:49 AM, "Julian Yap" <ju...@gmail.com> wrote:
> On Thu, Oct 6, 2011 at 3:09 PM, David F. Skoll <df...@roaringpenguin.com> wrote:
>> On 7 Oct 2011 00:28:49 -0000
>> "John Levine" <jo...@taugh.com> wrote:
>>
>>>> Does anyone blacklist based on SPF?
>>
>>> Nobody with any interest in delivering the mail that their users want.
>>> The error rate is much, much too high.
>>
>> It depends. I very confidently blacklist mail from "roaringpenguin.com
>> <http://roaringpenguin.com> "
>> that fails to pass SPF. That's my own domain, of course.
>
> What do your rules look like for this scenario?
>
Something like this Unverified Yahoo rule I shameless stole from Mark
Martinec:
header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i
header __L_ML2 exists:List-Id
header __L_ML3 exists:List-Post
header __L_ML4 exists:Mailing-List
header __L_HAS_SNDR exists:Sender
meta __L_VIA_ML __L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 ||
__L_HAS_SNDR
header __L_FROM_Y1 From:addr =~ m{[@.]yahoo\.com$}i
header __L_FROM_Y2 From:addr =~ m{\@yahoo\.com\.(ar|br|cn|hk|my|sg)$}i
header __L_FROM_Y3 From:addr =~ m{\@yahoo\.co\.(id|in|jp|nz|uk)$}i
header __L_FROM_Y4 From:addr =~
m{\@yahoo\.(ca|de|dk|es|fr|gr|ie|it|pl|se)$}i
meta __L_FROM_YAHOO __L_FROM_Y1 || __L_FROM_Y2 || __L_FROM_Y3 ||
__L_FROM_Y4
header __L_FROM_GMAIL From:addr =~ m{\@gmail\.com$}i
meta L_UNVERIFIED_YAHOO !DKIM_VALID && !DKIM_VALID_AU && __L_FROM_YAHOO
&& !__L_VIA_ML
priority L_UNVERIFIED_YAHOO 500
score L_UNVERIFIED_YAHOO 2.5
meta L_UNVERIFIED_GMAIL !DKIM_VALID && !DKIM_VALID_AU && __L_FROM_GMAIL
&& !__L_VIA_ML
priority L_UNVERIFIED_GMAIL 500
score L_UNVERIFIED_GMAIL 2.5
It would be nice to have a construct like "blacklist_unless_spf" or
"blacklist_unless_auth" that did all of this for me...
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Blacklisting based on SPF
Posted by Julian Yap <ju...@gmail.com>.
On Thu, Oct 6, 2011 at 3:09 PM, David F. Skoll <df...@roaringpenguin.com>wrote:
> On 7 Oct 2011 00:28:49 -0000
> "John Levine" <jo...@taugh.com> wrote:
>
> > >Does anyone blacklist based on SPF?
>
> > Nobody with any interest in delivering the mail that their users want.
> > The error rate is much, much too high.
>
> It depends. I very confidently blacklist mail from "roaringpenguin.com"
> that fails to pass SPF. That's my own domain, of course.
>
> With somewhat less (but still pretty high) confidence, I block mail
> from paypal.com and ebay.com if it fails SPF (including "softfail")
>
> SPF is most effective when used judiciously for specific domains. It's
> pretty useless to make blanket SPF rules that cover unknown domains.
>
>
What do your rules look like for this scenario?
Julian
Re: Blacklisting based on SPF
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On 7 Oct 2011 00:28:49 -0000
"John Levine" <jo...@taugh.com> wrote:
> >Does anyone blacklist based on SPF?
> Nobody with any interest in delivering the mail that their users want.
> The error rate is much, much too high.
It depends. I very confidently blacklist mail from "roaringpenguin.com"
that fails to pass SPF. That's my own domain, of course.
With somewhat less (but still pretty high) confidence, I block mail
from paypal.com and ebay.com if it fails SPF (including "softfail")
SPF is most effective when used judiciously for specific domains. It's
pretty useless to make blanket SPF rules that cover unknown domains.
Regards,
David.
Re: Blacklisting based on SPF
Posted by Benny Pedersen <me...@junc.org>.
On Mon, 10 Oct 2011 07:00:48 -0700, Marc Perkel wrote:
> All forwarded email would fail SPF testing. You would be blocking
> all hosted spam filtering services for example.
this is easy to solve in spf or add the forwarding mta sender ip to
spamassassin trusted_networks, reject msg ALWAYS says this to sender
that are being rejected, fail is not a spf fault, i still not needing
forwarded emails at all and i know how to do this from mail host i need
forward from, if spf i so damm hard to use correct then use dkim :)
Re: Blacklisting based on SPF
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Mon, 10 Oct 2011 07:00:48 -0700
Marc Perkel <su...@junkemailfilter.com> wrote:
[Blocking SPF "fail" mail]
> All forwarded email would fail SPF testing. You would be blocking
> all hosted spam filtering services for example.
Nonsense. If someone uses a hosted spam filtering servic for inbound mail,
then that person should turn off SPF checking on the back-end completely;
checking SPF and applying policy is the job of the hosted spam filter.
(If you're using a hosted anti-spam service that does *not* allow you
to apply fine-grained SPF policies, then it's time to switch.)
If someone uses a hosted filtering service for outbound mail, then
he/she just needs to publish appropriate SPF records listing the service's
egress IP addresses.
Regards,
David.
Re: Blacklisting based on SPF
Posted by Marc Perkel <su...@junkemailfilter.com>.
On 10/11/2011 6:49 AM, Matus UHLAR - fantomas wrote:
>>> On 7 Oct 2011 00:28:49 -0000, John Levine wrote:
>>>> Nobody with any interest in delivering the mail that their users want.
>>>> The error rate is much, much too high.
>
>> On 10/7/2011 12:50 AM, Benny Pedersen wrote:
>>> how ?
>
> On 10.10.11 07:00, Marc Perkel wrote:
>> All forwarded email would fail SPF testing. You would be blocking
>> all hosted spam filtering services for example.
>
> FUD and bullshit.
>
> such forwarding will break SPF iff the forwarder does not change the
> mail from: address, and in such case it FAKES the return path, since
> it's not the original sender who sent the mail, it's the recipient.
> Whoever wishes to get mail forwarded through mailbox that does not
> this kind of rewriting, should configure the forwarder as
> trusted/internal for this case.
>
http://www.openspf.org/FAQ/Forwarding
--
Marc Perkel - Sales/Support
support@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400
Re: Blacklisting based on SPF
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On Tue, 11 Oct 2011 15:49:36 +0200, Matus UHLAR - fantomas wrote:
>>such forwarding will break SPF iff the forwarder does not change the
>>mail from: address, and in such case it FAKES the return path, since
>>it's not the original sender who sent the mail, it's the recipient.
On 11.10.11 20:55, Benny Pedersen wrote:
>it breaks dkim if anything is changed, this is not fud
Well,
- SPF is not DKIM
- DKIM is broken if someone changes the mail content, not the envelope
address.
according to some discussions the DKIM seems to have problems with mail
reformatting by courier MTA. Maybe the specification could be relaxed
to case insensitive checking of headers...
>>Whoever wishes to get mail forwarded through mailbox that does not
>>this kind of rewriting, should configure the forwarder as
>>trusted/internal for this case.
>
>only trusted_network for the forwarding mta is needed to make spf work
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Silvester Stallone: Father of the RISC concept.
Re: Blacklisting based on SPF
Posted by Benny Pedersen <me...@junc.org>.
On Tue, 11 Oct 2011 15:49:36 +0200, Matus UHLAR - fantomas wrote:
> such forwarding will break SPF iff the forwarder does not change the
> mail from: address, and in such case it FAKES the return path, since
> it's not the original sender who sent the mail, it's the recipient.
it breaks dkim if anything is changed, this is not fud
> Whoever wishes to get mail forwarded through mailbox that does not
> this kind of rewriting, should configure the forwarder as
> trusted/internal for this case.
only trusted_network for the forwarding mta is needed to make spf work
Re: Blacklisting based on SPF
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>>On 7 Oct 2011 00:28:49 -0000, John Levine wrote:
>>>Nobody with any interest in delivering the mail that their users want.
>>>The error rate is much, much too high.
>On 10/7/2011 12:50 AM, Benny Pedersen wrote:
>>how ?
On 10.10.11 07:00, Marc Perkel wrote:
>All forwarded email would fail SPF testing. You would be blocking
>all hosted spam filtering services for example.
FUD and bullshit.
such forwarding will break SPF iff the forwarder does not change the
mail from: address, and in such case it FAKES the return path, since
it's not the original sender who sent the mail, it's the recipient.
Whoever wishes to get mail forwarded through mailbox that does not this
kind of rewriting, should configure the forwarder as trusted/internal for
this case.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.
Re: Blacklisting based on SPF
Posted by Daniel McDonald <da...@austinenergy.com>.
On 10/10/11 9:00 AM, "Marc Perkel" <su...@junkemailfilter.com> wrote:
>
>
> On 10/7/2011 12:50 AM, Benny Pedersen wrote:
>> On 7 Oct 2011 00:28:49 -0000, John Levine wrote:
>>> Nobody with any interest in delivering the mail that their users want.
>>> The error rate is much, much too high.
>>
>> how ?
>>
>
> All forwarded email would fail SPF testing. You would be blocking all
> hosted spam filtering services for example.
"then you aren't doing it right".
If the hosted filtering is egress, then the address ranges of your egress
filter provider should be in your SPF statement.
If the hosted filtering is ingress, then the address ranges of your ingress
filter provider should be in your trusted-networks, so that spf will look at
the last-untrusted address for the source.
Mail-lists running on sane software will change the envelope address, so
there is no problem there.
So, what other bizarre corner cases are you talking about that break SPF?
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Blacklisting based on SPF
Posted by Marc Perkel <su...@junkemailfilter.com>.
On 10/7/2011 12:50 AM, Benny Pedersen wrote:
> On 7 Oct 2011 00:28:49 -0000, John Levine wrote:
>> Nobody with any interest in delivering the mail that their users want.
>> The error rate is much, much too high.
>
> how ?
>
All forwarded email would fail SPF testing. You would be blocking all
hosted spam filtering services for example.
--
Marc Perkel - Sales/Support
support@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400
Suppressing backscatter (was Re: Blacklisting based on SPF)
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Fri, 07 Oct 2011 20:47:48 +0100
Martin Gregorie <ma...@gregorie.org> wrote:
> And, at least for me, its been good for suppressing backscatter: since
> I've had a good SPF record I've has almost none.
Really?? You are very lucky. We have an SPF record with a "-all"
clause and still get backscatter. I believe that so few SMTP servers
validate SPF that the amount of backscatter it actually reduces is tiny.
Regards,
David.
Re: Blacklisting based on SPF
Posted by Martin Gregorie <ma...@gregorie.org>.
On Fri, 2011-10-07 at 20:17 +0100, RW wrote:
> On Fri, 07 Oct 2011 20:39:24 +0200
> Robert Schetterer wrote:
>
> > in my case
> > there is so less left, passing postscreen, rbls, greylisting,
> > clamav-milter with sanesecurity and few other smtp checks, that nearly
> > null i.e
> > faked paypal mail getting at last to spamassassin where its stopped
> > mostly by other rules and rejected by spamass-milter, so using spf
> > check isnt hardly needed anymore,
>
> His point was that SPF isn't there to catch spam, it there to identify
> legitimate mail from selected domains, and prevent it being falsely
> identified as spam.
>
And, at least for me, its been good for suppressing backscatter: since
I've had a good SPF record I've has almost none. That is all I use it
for.
Martin
Re: Blacklisting based on SPF
Posted by Dave Warren <li...@hireahit.com>.
On 10/7/2011 12:17 PM, RW wrote:
> On Fri, 07 Oct 2011 20:39:24 +0200
> Robert Schetterer wrote:
>
>> in my case
>> there is so less left, passing postscreen, rbls, greylisting,
>> clamav-milter with sanesecurity and few other smtp checks, that nearly
>> null i.e
>> faked paypal mail getting at last to spamassassin where its stopped
>> mostly by other rules and rejected by spamass-milter, so using spf
>> check isnt hardly needed anymore,
> His point was that SPF isn't there to catch spam, it there to identify
> legitimate mail from selected domains, and prevent it being falsely
> identified as spam.
That's pretty much it. I don't look at it as a spam blocking measure at
all, but rather, it's utility is to avoid whitelisting forged mail.
Prior to SPF, I was apprehensive about whitelisting anything by domain
since domains can be trivially forged, especially if it's a well-known
domain (the domain of a household named company). By only applying
whitelist entries to mail that has a SPF or DKIM pass, I can whitelist
by sender address/domain indiscriminately without fear that a spammer
can take advantage of @paypal.com whitelists.
To me, false positives are a lot more important than filter misses.
Users will tolerate a bit of spam, but blocking even a single legitimate
message is unacceptable (yes, it's a real world risk, but it's still the
goal), so being able to whitelist safely (completely, or just with a
score) is critical.
--
Dave Warren, CEO
Hire A Hit Consulting Services
http://ca.linkedin.com/in/davejwarren
Re: Blacklisting based on SPF
Posted by RW <rw...@googlemail.com>.
On Fri, 07 Oct 2011 20:39:24 +0200
Robert Schetterer wrote:
> in my case
> there is so less left, passing postscreen, rbls, greylisting,
> clamav-milter with sanesecurity and few other smtp checks, that nearly
> null i.e
> faked paypal mail getting at last to spamassassin where its stopped
> mostly by other rules and rejected by spamass-milter, so using spf
> check isnt hardly needed anymore,
His point was that SPF isn't there to catch spam, it there to identify
legitimate mail from selected domains, and prevent it being falsely
identified as spam.
Re: Blacklisting based on SPF
Posted by Robert Schetterer <ro...@schetterer.org>.
Am 07.10.2011 20:24, schrieb Dave Warren:
> On 10/7/2011 1:12 AM, Robert Schetterer wrote:
>> in my eyes the whole idea of spf was broken from beginning
>> but do what you want, no need for flame
>> in my real world it makes more problems then helping in antispam
>> i removed spf checks from my servers, in spamd its used with nearly no
>> points
>> there are better more effective ways to reject unwanted mails
>> but youre free, do it like you want, analyse your logs
>> then you will see, if it helps at your side
>> everbody has its own spam, there are less
>> universal recommands, antispam is daily work in analyse and reaction
>
> The trick with SPF is to stop using it for rejecting mail, it doesn't do
> a good job at that.
jep
It's not really a spam-fighting technique at all,
> as much as an identification technique. What you do with that
jep
> identification is where it gets interesting; what it does do well is
> allow you to whitelist known-good (or at least wanted) senders, allowing
> you to exempt mail you know you want from expensive content filtering.
>
> PayPay is a good example, love 'em or hate 'em, there's no point running
> mail from PayPal through any sort of content based spam filtering, and
> SPF can tell you that a message claiming to be from PayPal really is
> from PayPal (but it can't reliably tell you that a message *isn't* from
> PayPal, due to forwarding, possible DNS problems, possible SPF
> configuration errors, etc)
in my case
there is so less left, passing postscreen, rbls, greylisting,
clamav-milter with sanesecurity and few other smtp checks, that nearly
null i.e
faked paypal mail getting at last to spamassassin where its stopped
mostly by other rules and rejected by spamass-milter, so using spf check
isnt hardly needed anymore, until in most cases its useless
or does make trouble, but feel free using spf-checks as you want
it may help in some setups
>
>
--
Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria
Re: Blacklisting based on SPF
Posted by Dave Warren <li...@hireahit.com>.
On 10/7/2011 1:12 AM, Robert Schetterer wrote:
> in my eyes the whole idea of spf was broken from beginning
> but do what you want, no need for flame
> in my real world it makes more problems then helping in antispam
> i removed spf checks from my servers, in spamd its used with nearly no
> points
> there are better more effective ways to reject unwanted mails
> but youre free, do it like you want, analyse your logs
> then you will see, if it helps at your side
> everbody has its own spam, there are less
> universal recommands, antispam is daily work in analyse and reaction
The trick with SPF is to stop using it for rejecting mail, it doesn't do
a good job at that. It's not really a spam-fighting technique at all,
as much as an identification technique. What you do with that
identification is where it gets interesting; what it does do well is
allow you to whitelist known-good (or at least wanted) senders, allowing
you to exempt mail you know you want from expensive content filtering.
PayPay is a good example, love 'em or hate 'em, there's no point running
mail from PayPal through any sort of content based spam filtering, and
SPF can tell you that a message claiming to be from PayPal really is
from PayPal (but it can't reliably tell you that a message *isn't* from
PayPal, due to forwarding, possible DNS problems, possible SPF
configuration errors, etc)
--
Dave Warren, CEO
Hire A Hit Consulting Services
http://ca.linkedin.com/in/davejwarren
Re: Blacklisting based on SPF
Posted by Robert Schetterer <ro...@schetterer.org>.
Am 07.10.2011 10:03, schrieb Benny Pedersen:
> On Fri, 07 Oct 2011 09:54:09 +0200, Robert Schetterer wrote:
>> but wouldnt recommend it anyway
>
> why would i like to whitelist a unknown spammer ?
>
> thinking more about it would get me mad :-)
>
>
in my eyes the whole idea of spf was broken from beginning
but do what you want, no need for flame
in my real world it makes more problems then helping in antispam
i removed spf checks from my servers, in spamd its used with nearly no
points
there are better more effective ways to reject unwanted mails
but youre free, do it like you want, analyse your logs
then you will see, if it helps at your side
everbody has its own spam, there are less
universal recommands, antispam is daily work in analyse and reaction
--
Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria
Re: Blacklisting based on SPF
Posted by Benny Pedersen <me...@junc.org>.
On Fri, 07 Oct 2011 09:54:09 +0200, Robert Schetterer wrote:
> but wouldnt recommend it anyway
why would i like to whitelist a unknown spammer ?
thinking more about it would get me mad :-)
Re: Blacklisting based on SPF
Posted by Robert Schetterer <ro...@schetterer.org>.
Am 07.10.2011 09:50, schrieb Benny Pedersen:
> On 7 Oct 2011 00:28:49 -0000, John Levine wrote:
>> Nobody with any interest in delivering the mail that their users want.
>> The error rate is much, much too high.
>
> how ?
>
>
good spammers , usally have valid spf dns entries
so if you want blacklist with spf do it selective
i.e with some milter
but wouldnt recommend it anyway
--
Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria
Re: Blacklisting based on SPF
Posted by Benny Pedersen <me...@junc.org>.
On 7 Oct 2011 00:28:49 -0000, John Levine wrote:
> Nobody with any interest in delivering the mail that their users
> want.
> The error rate is much, much too high.
how ?
Re: Blacklisting based on SPF
Posted by John Levine <jo...@taugh.com>.
In article <CA...@mail.gmail.com> you write:
>-=-=-=-=-=-
>
>I've noticed some trojans with addresses from usps.com slip through.
>
>Does anyone blacklist based on SPF?
Nobody with any interest in delivering the mail that their users want.
The error rate is much, much too high.
R's,
John