You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2005/01/10 05:21:33 UTC
Re: initial analysis of SPF_PASS results
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daniel Quinlan writes:
> First, large ISPs seem to be the origination point for a *lot* of spam.
Large ISPs' outbound relays, or direct from their dynamic pools?
e.g. blueyonder.co.uk list their dyn pools in their SPF record,
which is unfortunate but legal.
> Second, here's my list of the domains we could potentially whitelist for
> SPF_PASS results (high count, good ratio, not biased towards open source
> folks).
>
> 0.0000 90 health.webmd.com
> 0.0000 27 foolsubs.com
> 0.0000 23 ms3.lga2.nytimes.com (list *.nytimes.com ?)
> 0.0000 17 match.com
> 0.0000 9 paypal.com
+1 -- I can go for that.
(Worth noting that I *don't* think we should also apply the converse,
treating mails from those doms that don't fix the SPF record as forged;
we'd need to do separate analysis on that.)
> For a different and even less biased approach, I took the listings with
> 0.01 or lower S/O ratio and ranked them by SenderBase volume (entries
> above 6.0 on the volume scale). Note that I just extracted
> registrar-level domain names from the SPF domain lists, so some of these
> are definitely not completely clean or are not immediately
> whitelistable.
>
> domain volume whitelist?
> -------------------- ------ ----------
> ebay.com 7.5 yeah
> amazon.com 6.7 yeah
> speakeasy.net 6.6
> paypal.com 6.6 yeah
> msn.com 6.6
> roving.com 6.5
> nytimes.com 6.5 yeah
> m0.net 6.5
> classmates.com 6.5
> exacttarget.com 6.4
> sparklist.com 6.2
> sourceforge.net 6.1
> securityfocus.com 6.1
> spamarrest.com 6.0
> rm04.net 6.0
> redhat.com 6.0
> foolsubs.com 6.0 yeah
> bluehornet.com 6.0
>
> So, based on all that, I'm thinking we could experimentally add SPF_PASS
> whitelists for:
>
> ebay.com
> amazon.com
> paypal.com
> nytimes.com
> foolsubs.com
> webmd.com
> match.com
>
> I checked NANAE and the above domans seem to be pretty clean and this
> jives with my recollection.
+1.
- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Exmh CVS
iD8DBQFB4gLNMJF5cimLx9ARAn3CAKC7V80ycFkJrP+8bE3oP2T85VQ4NwCgi5t6
GdGMdM89ze4fvC/9l/uDdJ0=
=jXd3
-----END PGP SIGNATURE-----
Re: initial analysis of SPF_PASS results
Posted by Daniel Quinlan <qu...@pathname.com>.
> Large ISPs' outbound relays, or direct from their dynamic pools?
> e.g. blueyonder.co.uk list their dyn pools in their SPF record,
> which is unfortunate but legal.
I suspect some of that, plus a lot of whatever bug is causing that AOL
SPF_PASS false match I reported. That was the first reputatable ISP I
checked for SPF_PASS hits vs. their MAIL FROM in my spam folder, so I
suspect there are a lot more problems that way.
Daniel
--
Daniel Quinlan
http://www.pathname.com/~quinlan/