You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by le...@srs.gov on 2005/05/03 21:12:42 UTC

SPF Whitelist implementation flaw?

I'd love to implement SPF checks in SA rather than having to run two 
milters on our sendmail, but there's a fundamental flaw in the 
whitelisting for SPF.

It looks like the whitelist applies to internet domains or email 
addresses.  Whitelisting those automatically defeats the purpose of SPF. 
If you whitelist (bad example, but...) *@aol.com, you play into the 
spoofer's hand by allowing any mail from that domain to pass.  The 
"correct" whitelisting method would be to whitelist trusted IP addresses.

Anyone know if IP addresses would also work?

Thanks!

Re: SPF Whitelist implementation flaw?

Posted by David B Funk <db...@engineering.uiowa.edu>.

On Tue, 3 May 2005 leonard.gray@srs.gov wrote:

> I'd love to implement SPF checks in SA rather than having to run two
> milters on our sendmail, but there's a fundamental flaw in the
> whitelisting for SPF.
>
> It looks like the whitelist applies to internet domains or email
> addresses.  Whitelisting those automatically defeats the purpose of SPF.
> If you whitelist (bad example, but...) *@aol.com, you play into the
> spoofer's hand by allowing any mail from that domain to pass.  The
> "correct" whitelisting method would be to whitelist trusted IP addresses.
>
> Anyone know if IP addresses would also work?

Check out "whitelist_from_rcvd" it lets you link a particular address
(or address regex) to a specific sending server. The sending server is
validated by both hostname and IP address.

Thus you can restrict the whitelisting to particular senders to
prevent abuse by forgers.



-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

RE: How ill-advised are nightlies?

Posted by Bret Miller <br...@wcg.org>.

> On Wed, May 04, 2005 at 07:24:07AM -0400, leonard.gray@srs.gov wrote:
> > 
> > I know from watching that 3.1 might be a ways off, and am 
> wondering if 
> > based on anyone's experience whether running an interim 
> build is a good 
> > idea or not?  I understand the risks of doing this in general, just 
> > wondering if the SA tree and development cycle is any more 
> or less likely 
> > to give us problems.
> > 
> 
> I suppose that depends on your definition of a ways off.  You should
> start seeing pre-releases for 3.1 fairly soon (within a week I'd
> guess).  I've been running the 3.1 dev code for awhile on my server,
> although it's low traffic box so your mileage may vary.
> 
> As always, the more folks that get on board and test the current svn
> code and then any of the pre an RC releases the faster we can find and
> kill bugs.  So, I encourage anyone who is willing and able to do so.

Well, I'm adventurous I guess. I just grabbed the latest nigthly
snapshot, installed it on my computer, tested it slightly, installed in
on our server, enabled parallel requests and so far it's running great.

This is probably a good test since the DNS code has been rewritten and
that's what was preventing running with parallel requests on Windows
before. Only time will tell how stable this is.

Besides the DNS rewrite, it seems the URI parsing code is better as it
now can sort out escaped URLs better. It's looking very good guys!

Bret

Re: How ill-advised are nightlies?

Posted by Michael Parker <pa...@pobox.com>.

On Wed, May 04, 2005 at 07:24:07AM -0400, leonard.gray@srs.gov wrote:
> 
> I know from watching that 3.1 might be a ways off, and am wondering if 
> based on anyone's experience whether running an interim build is a good 
> idea or not?  I understand the risks of doing this in general, just 
> wondering if the SA tree and development cycle is any more or less likely 
> to give us problems.
> 

I suppose that depends on your definition of a ways off.  You should
start seeing pre-releases for 3.1 fairly soon (within a week I'd
guess).  I've been running the 3.1 dev code for awhile on my server,
although it's low traffic box so your mileage may vary.

As always, the more folks that get on board and test the current svn
code and then any of the pre an RC releases the faster we can find and
kill bugs.  So, I encourage anyone who is willing and able to do so.

Michael

How ill-advised are nightlies?

Posted by le...@srs.gov.

We have been waiting patiently to resolve the swapping problem caused by 
SA 3.0.x's forking algorithms.  I have been watching anxiously over the 
progress of 3.1 and am very encouraged about the new pre-forking code.

However, we're have a real need to get SA installed now for "the 
never-ending battle".  This would be the first time we've installed the 
product into production.

I downloaded and configured a nightly build yesterday and found it to work 
quite well.  We're contemplating using it in production to help lighten 
our load of managing the floods of junk mail.

I know from watching that 3.1 might be a ways off, and am wondering if 
based on anyone's experience whether running an interim build is a good 
idea or not?  I understand the risks of doing this in general, just 
wondering if the SA tree and development cycle is any more or less likely 
to give us problems.

Thanks in advance.