Re: How not to implement SPF (nationwide.co.uk)

[Marc Perkel <su...@junkemailfilter.com>]

On 6/30/2010 2:25 PM, RW wrote:
> On Wed, 30 Jun 2010 20:19:43 +0100
> Ned Slider<ne...@unixmail.co.uk>  wrote:
>
>    
>> so they have no SPF policy? Wrong, they do, but it's on their
>> email.barclays.co.uk subdomain as presumably that's the domain they
>> send mail from - but how are you supposed to know that if they don't
>> tell you?
>>      
> I suppose they are being realistic about spf - that it's only really
> useful for whitelisting purposes.
>
>    

It's not even useful for white listing as spammers can set up SPF too.

-- 
Marc Perkel - Sales/Support
support@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400

Re: How not to implement SPF (nationwide.co.uk)

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

>> On Wed, 30 Jun 2010 20:19:43 +0100
>> Ned Slider<ne...@unixmail.co.uk>  wrote:
>>> so they have no SPF policy? Wrong, they do, but it's on their
>>> email.barclays.co.uk subdomain as presumably that's the domain they
>>> send mail from - but how are you supposed to know that if they don't
>>> tell you?

> On 6/30/2010 2:25 PM, RW wrote:
>> I suppose they are being realistic about spf - that it's only really
>> useful for whitelisting purposes.

On 04.07.10 23:57, Marc Perkel wrote:
> It's not even useful for white listing as spammers can set up SPF too.

Marc, please stop bullshitting about SPF, finally.
We already know you don't understand how it works.
-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows 2000: 640 MB ought to be enough for anybody

Re: How not to implement SPF (nationwide.co.uk)

[Kelson Vibber <ke...@speed.net>]

On Jul 5, 2010, at 6:46 AM, Marc Perkel wrote:
> 
> BTW - does anyone have some big list of domain that when combined with SPF make a good white list?

Well, that would depend on who you and your users want mail from, wouldn't it?

Re: How not to implement SPF (nationwide.co.uk)

[Marc Perkel <su...@junkemailfilter.com>]

On 7/5/2010 1:10 AM, Kelson Vibber wrote:
> On Jul 4, 2010, at 11:57 PM, Marc Perkel wrote:
>    
>> It's not even useful for white listing as spammers can set up SPF too.
>>      
>
> That's not how whitelisting on SPF works.
>
> You don't whitelist *solely* on the presence of SPF.
>
> You whitelist the *combination* of a domain that you want and a positive SPF match.
>
> Let's say you want to whitelist mail from example.com, and you don't want to worry about keeping track of their outgoing servers. You set up whitelisting using SPF such that...
>
> 1. Mail from example.com that doesn't pass SPF =>  neutral, go through normal filtering
> 2. Mail from example.com that DOES pass SPF =>  whitelisted
> 3. Mail from random spammer's domain that passes SPF =>  neutral, go through normal filtering
>
> Multiply steps #1 and #2 by however many domains you want to whitelist, and it's a lot more convenient than keeping track of all their IP addresses yourself, especially if they have a lot of them or change them from time to time..
>
> That's how SpamAssassin uses SPF to whitelist mail.  (See the docs for whitelist_from_spf and similar rules.)  Notice that it really doesn't matter whether spammers set up their own SPF rules.
>
> Actually, you could make use of spammers' SPF records in some circumstances by adding a fourth possibility:
>
> 4. Mail from known spammer's domain that passes SPF =>  blacklisted
>
> OK, that fourth possibility isn't likely to crop up very often, but it's still taking advantage of spammers using SPF...which, once again, doesn't interfere with SPF's usefulness as a component of whitelisting.
>
>
>    

BTW - does anyone have some big list of domain that when combined with 
SPF make a good white list?

-- 
Marc Perkel - Sales/Support
support@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400

Re: How not to implement SPF (nationwide.co.uk)

[Kelson Vibber <ke...@speed.net>]

On Jul 4, 2010, at 11:57 PM, Marc Perkel wrote:
> It's not even useful for white listing as spammers can set up SPF too.


That's not how whitelisting on SPF works.

You don't whitelist *solely* on the presence of SPF.

You whitelist the *combination* of a domain that you want and a positive SPF match.

Let's say you want to whitelist mail from example.com, and you don't want to worry about keeping track of their outgoing servers. You set up whitelisting using SPF such that...

1. Mail from example.com that doesn't pass SPF => neutral, go through normal filtering
2. Mail from example.com that DOES pass SPF = > whitelisted
3. Mail from random spammer's domain that passes SPF => neutral, go through normal filtering

Multiply steps #1 and #2 by however many domains you want to whitelist, and it's a lot more convenient than keeping track of all their IP addresses yourself, especially if they have a lot of them or change them from time to time..

That's how SpamAssassin uses SPF to whitelist mail.  (See the docs for whitelist_from_spf and similar rules.)  Notice that it really doesn't matter whether spammers set up their own SPF rules.

Actually, you could make use of spammers' SPF records in some circumstances by adding a fourth possibility:

4. Mail from known spammer's domain that passes SPF => blacklisted

OK, that fourth possibility isn't likely to crop up very often, but it's still taking advantage of spammers using SPF...which, once again, doesn't interfere with SPF's usefulness as a component of whitelisting.

Re: How not to implement SPF (nationwide.co.uk)

[Dave Pooser <da...@pooserville.com>]

On 7/5/10 Jul 5, 1:57 AM, "Marc Perkel" <su...@junkemailfilter.com> wrote:

> It's not even useful for white listing as spammers can set up SPF too.

Yes, Marc, but here's the secret to that:
    YOU DON'T WHITELIST THE SPAMMERS!

Ahem. Sorry about that, but since reasoned explanation hasn't been working I
figured yelling might. You see, nobody is suggesting "whitelist_auth *@*" --
that would be stupid. What people ARE saying is that
    whitelist_auth *@mybank.domain
can be a handy tool if mybank.domain has properly configured SPF (or DKIM)
records.

That's it. Not the FUSS, not the ultimate hat-checker. Just a way that I can
make sure legitimate mails from $sender get through while forged messages
pretending to be from $sender don't. This ain't rocket surgery.
-- 
Dave Pooser
Cat-Herder-in-Chief
Pooserville.com