You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Blason R <bl...@gmail.com> on 2014/01/01 04:00:50 UTC

Re: Confused about Mail::SPF::Query

Well I wouldn' t agree with it. Personally I found rejecting mails at MTA
level for the domains who has wrong SPF can be very effective mechanism to
fight against SPAM.

Above that I would do BATV tagging to avoid backscattering.
On 1 Jan 2014 03:12, "Martin Gregorie" <ma...@gregorie.org> wrote:

> On Tue, 2013-12-31 at 18:35 +0000, Walter Hurry wrote:
> > Does that indicate that it's all working properly, or should I be looking
> > for something else?
> >
> Personally, I'm not convinced that SPF is much use for detecting spam.
>
> What it *is* good for, though, is preventing backscatter.
>
> What an SPF record does is publish the IPs that are valid recipients of
> mail sent to a domain. Spammers don't need or use this info because
> they're going to send mail to your domain (somebody@example.com) anyway.
> Where it comes in useful is when a third party's MTA wants to bounce
> mail it received for an unknown user. If its being well behaved, before
> it bounces the message it will check for an SPF record at the message
> sender's domain and, if there is one, check the IP in the From: header
> against it. If the IP doesn't match a valid IP in the SPF record it
> knows that the sender was forged and that nothing will be achieved by
> sending a bounce message.
>
> The result: if you set up an SPF you won't get backscatter (spam with
> your address forged and used as the sender).
>
> If you haven't created and validated an SPF record for your domain, I
> recommend that you do so. There are useful tools these tasks here:
> http://www.kitterman.com/spf/validate.html
>
>
> Martin
>
>
>
>

Re: Confused about Mail::SPF::Query

Posted by Blason R <bl...@gmail.com>.

But then sending a mail with prvs or BATV tag would definitely help
stopping backscatter attack. Is it not?
On 2 Jan 2014 20:35, "David F. Skoll" <df...@roaringpenguin.com> wrote:

> On Wed, 1 Jan 2014 20:46:58 +0100
> Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
>
> > On 01.01.14 11:34, David F. Skoll wrote:
> > >I don't find it very effective.  It would stop maybe 5% of all the
> > >spam on our systems at most.
>
> > ...and how many forgeries did this stop?
>
> A few.  Our current incident database contains the following quarantined
> messages:
>
> Total incidents: 16 260 780  (16 million)
>    SPF softfail:    914 609  (~1 million)
>        SPF fail:    429 697  (~400K)
>
> So SPF only applies to about 8.4% of our quarantined mail and SPF "fail"
> to only about 2.6%.
>
> Furthermore, SPF "softfail" is usually indicative of a domain owner
> who is clueless about how to set up a proper SPF record rather than a
> forgery.
>
> SPF is very good at stopping forgeries of the envelope sender.
> However, it's completely useless at stopping forgeries where the From:
> header is <se...@paypal.com> but the envelope sender is
> <ww...@hacked.luser.org>
>
> It's also only mildly effective at stopping backscatter because not
> enough sites actually check SPF to significantly reduce backscatter.
> What it *is* good at is acting as a CYA mechanism.  If someone
> complains that we are spamming, we can prove to them that the mail
> originated from a server we didn't authorize and was therefore forged.
>
> Regards,
>
> David.
>

Re: Confused about Mail::SPF::Query

Posted by "David F. Skoll" <df...@roaringpenguin.com>.

On Wed, 1 Jan 2014 20:46:58 +0100
Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:

> On 01.01.14 11:34, David F. Skoll wrote:
> >I don't find it very effective.  It would stop maybe 5% of all the
> >spam on our systems at most.

> ...and how many forgeries did this stop?

A few.  Our current incident database contains the following quarantined
messages:

Total incidents: 16 260 780  (16 million)
   SPF softfail:    914 609  (~1 million)
       SPF fail:    429 697  (~400K)

So SPF only applies to about 8.4% of our quarantined mail and SPF "fail"
to only about 2.6%.

Furthermore, SPF "softfail" is usually indicative of a domain owner
who is clueless about how to set up a proper SPF record rather than a
forgery.

SPF is very good at stopping forgeries of the envelope sender.
However, it's completely useless at stopping forgeries where the From:
header is <se...@paypal.com> but the envelope sender is
<ww...@hacked.luser.org>

It's also only mildly effective at stopping backscatter because not
enough sites actually check SPF to significantly reduce backscatter.
What it *is* good at is acting as a CYA mechanism.  If someone
complains that we are spamming, we can prove to them that the mail
originated from a server we didn't authorize and was therefore forged.

Regards,

David.

Re: Confused about Mail::SPF::Query

Posted by Benny Pedersen <me...@junc.eu>.

Matus UHLAR - fantomas skrev den 2014-01-01 20:46:
> On 01.01.14 11:34, David F. Skoll wrote:
>> I don't find it very effective.  It would stop maybe 5% of all the 
>> spam
>> on our systems at most.
> ...and how many forgeries did this stop?

5% of nothing is still nothing, David know his numbers :/

spf is nothing to do with stopping spam from spf pass domaions, but it 
helps to find if we can complain to domaion owners or isps

if all domains in this world was fully spf protected it would still be 
spam from spf pass domains

Re: Confused about Mail::SPF::Query

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

>On Wed, 1 Jan 2014 08:30:50 +0530
>Blason R <bl...@gmail.com> wrote:
>> Well I wouldn' t agree with it. Personally I found rejecting mails at
>> MTA level for the domains who has wrong SPF can be very effective
>> mechanism to fight against SPAM.

On 01.01.14 11:34, David F. Skoll wrote:
>I don't find it very effective.  It would stop maybe 5% of all the spam
>on our systems at most.

...and how many forgeries did this stop?

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
He who laughs last thinks slowest.

Re: Confused about Mail::SPF::Query

Posted by "David F. Skoll" <df...@roaringpenguin.com>.

On Wed, 1 Jan 2014 08:30:50 +0530
Blason R <bl...@gmail.com> wrote:

> Well I wouldn' t agree with it. Personally I found rejecting mails at
> MTA level for the domains who has wrong SPF can be very effective
> mechanism to fight against SPAM.

I don't find it very effective.  It would stop maybe 5% of all the spam
on our systems at most.

Regards,

David.