[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: spf record

Juha-Matti Tapio wrote:
On Fri, Jan 20, 2006 at 12:29:08PM -0800, Joe Emenaker wrote:
.. except for the fact that it *dramatically* increases the effectiveness of your RBL's. At present, if a spammer's domain gets blacklisted, they'll just spoof someone else's. SPF will prevent that.
Actually I am not sure about the effectiveness either. I grepped a bit
around my personal mail server's spamassassin-rejected mails and here are my
When SpamAssassin 3 was released, although it contained code to verify SPF, it did not add spam points to messages that failed SPF, and I don't think they subtracted points if it passed, either. So, the initial code was there so that it could be activated (and the points given or taken away could be increased) as SPF became more widespread and the issues with it could be ironed out. Also, I think there are probably a lot of people like myself who are tentatively rolling this out with their own domains by putting "+all" or "?all" in their SPF records.

Over the next couple of years, as people become convinced that SPF isn't going to completely break all mail delivery, they'll start going to "-all" and the spam filters like SpamAssassin will start treating SPF failures more harshly. But, at present, neither of those things are very widespread. So, I don't expect to start seeing real benefit from SPF for another year or two.
Permanent rejects: 5069  (12+ points)
  - SPF ok:          68
  - SPF failed:      38
Temporary rejects: 2105 (7+ points)
  - SPF ok:          58
  - SPF failed:       5

Though my mail load is propably not at all demographic and these figures
should be taken with a grain of salt. But at least in my example more spam
passes SPF-test than fails it and failures start to correlate with
spamminess only when it is otherwise obvious that the message is spam.
Well, the question I have is: Can SPF give you any additional benefit? To find out, do this. Make a folder of all of the spam that gets *through* your spam filter that also passes SPF. Now, look at the domains they came from and save that list of domains. Now, go to your *caught* spam that passed SPF and get a list of *those* domains. If any domain appears in both lists, then you could have prevented the one that got through your spam filter (provided that it arrived after your caught one), because you could have used a personal RBL.
In essence, SPF would give the spammer "no place to run" when they get found out. I'm honestly curious to see what they do to counter it. My only guess is that they'll have to register a bunch of "throw-away" domains with names like "slk2l2jhldwfhsad9123jn.com", which they use to send out spam for a day and then abandon it.

In a couple minutes I can think of at least the following ways to go around

a) Use any domain that either does not have SPF records or allows any
Well, the "grand plan" for SPF is that these are going to disappear or become as rare as open relays. As SPF becomes more widespread, the spam filters will be more comfortable with being harsh to SPF-failing messages. As that happens, if you run a mail server... and you want your mail to actually get *delivered*, you'll implement SPF.

As far as allowing any sources... I think that, as the number of these dwindles (as did open-relays or open usenet servers), more spammers will start grouping onto fewer and fewer open domains.... and these domains will quickly become blacklisted.
For example I would be really surprised to ever see actually
effective SPF-records on debian.org.
b) Use the domain of the ISP of the zombie-machines.
Yeah.... well, zombie machines are, IMO, outside of the scope of SPF.

- Joe

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply to: