Mailing List Archive: SpamAssassin: users

Rules for not passing SPF

Index | Next | Previous | View Threaded

Darxus at ChaosReigns

Feb 2, 2010, 3:18 PM

Post #1 of 12 (1312 views)
Permalink

Rules for not passing SPF

Ideally everyone would pass these.

meta SPF_HELO_NOT_PASS !SPF_HELO_PASS
meta SPF_NOT_PASS !SPF_PASS

These will catch everything that does not have a valid SPF record,
including those for domains that have no SPF record.

I tested only the most recent 1,000 emails from my inbox, which I haven't
been sorting, so it includes all the spam that both SpamAssassin and
SpamProbe missed.

SPF_NOT_PASS got 180 hits. At least 4 of those were spam.

I'm going to sort my email out and do more testing. I'd love to hear what
numbers the rest of you get. I expect it to get better over time.
Especially if it gets added to the default SA rules.

--
"I finally figured out the only reason to be alive is to enjoy it."
- Rita Mae Brown
http://www.ChaosReigns.com

marc at perkel

Feb 2, 2010, 3:26 PM

Post #2 of 12 (1280 views)
Permalink

Re: Rules for not passing SPF [In reply to]

Darxus [at] ChaosReigns wrote:
> Ideally everyone would pass these.
>
> meta SPF_HELO_NOT_PASS !SPF_HELO_PASS
> meta SPF_NOT_PASS !SPF_PASS
>
> These will catch everything that does not have a valid SPF record,
> including those for domains that have no SPF record.
>
> I tested only the most recent 1,000 emails from my inbox, which I haven't
> been sorting, so it includes all the spam that both SpamAssassin and
> SpamProbe missed.
>
> SPF_NOT_PASS got 180 hits. At least 4 of those were spam.
>
> I'm going to sort my email out and do more testing. I'd love to hear what
> numbers the rest of you get. I expect it to get better over time.
> Especially if it gets added to the default SA rules.
>
>

Why would you want to catch domains without SPF as SPF has no
relationship to detecting spam?

ned at unixmail

Feb 2, 2010, 3:35 PM

Post #3 of 12 (1278 views)
Permalink

Re: Rules for not passing SPF [In reply to]

Darxus [at] ChaosReigns wrote:
> Ideally everyone would pass these.
>

and ideally we'd live in a world with no spam.

> meta SPF_HELO_NOT_PASS !SPF_HELO_PASS
> meta SPF_NOT_PASS !SPF_PASS
>
> These will catch everything that does not have a valid SPF record,
> including those for domains that have no SPF record.
>

A valid SPF record isn't a requirement, and they will also catch a *LOT*
of ham...

> I tested only the most recent 1,000 emails from my inbox, which I haven't
> been sorting, so it includes all the spam that both SpamAssassin and
> SpamProbe missed.
>
> SPF_NOT_PASS got 180 hits. At least 4 of those were spam.
>

...as you've just proved - can we assume the other 176 hits were ham?

> I'm going to sort my email out and do more testing. I'd love to hear what
> numbers the rest of you get. I expect it to get better over time.
> Especially if it gets added to the default SA rules.
>

It couldn't get much worse, could it?

Darxus at ChaosReigns

Feb 2, 2010, 3:38 PM

Post #4 of 12 (1284 views)
Permalink

Re: Rules for not passing SPF [In reply to]

On 02/02, Marc Perkel wrote:
> Why would you want to catch domains without SPF as SPF has no
> relationship to detecting spam?

SPF is entirely about spam.

http://www.openspf.org/Introduction

If everyone uses SPF, all we need to block all spam is these rules
(SPF_NOT_PASS alone should do it), and a blacklist of domains that have
SPF records including IPs that send spam.

SPF is easy, there's a wizard http://www.openspf.org/, then you paste
the results into the DNS TXT record for your domain).

--
"Anarchy is based on the observation that since few are fit to rule
themselves, even fewer are fit to rule others." -Edward Abbey
http://www.ChaosReigns.com

ned at unixmail

Feb 2, 2010, 4:05 PM

Post #5 of 12 (1279 views)
Permalink

Re: Rules for not passing SPF [In reply to]

Darxus [at] ChaosReigns wrote:
> On 02/02, Marc Perkel wrote:
>> Why would you want to catch domains without SPF as SPF has no
>> relationship to detecting spam?
>
> SPF is entirely about spam.
>
> http://www.openspf.org/Introduction
>
> If everyone uses SPF, all we need to block all spam is these rules
> (SPF_NOT_PASS alone should do it), and a blacklist of domains that have
> SPF records including IPs that send spam.
>

What about the situations where you can't use SPF?

Do you think spammers are incapable of setting an SPF record on their
own domains.

ISPs blocking outbound port 25 would probably stop the majority of spam
overnight, but that isn't likely to happen either, and spammers would
simply find another method as they're not likely to just sit around and
watch their highly lucrative business evaporate overnight.

> SPF is easy, there's a wizard http://www.openspf.org/, then you paste
> the results into the DNS TXT record for your domain).
>

It's never going to happen. We can't even get half the banks to
implement measures like SPF or DKIM, and they are getting the hell
phished out of them and are exactly the type of sector you'd expect to
be using such measures to prevent spoofing and making it easier for
their clients to spot forgeries.

dan.mcdonald at austinenergy

Feb 2, 2010, 4:05 PM

Post #6 of 12 (1279 views)
Permalink

Re: Rules for not passing SPF [In reply to]

On 2/2/10 5:38 PM, "Darxus [at] ChaosReigns" <Darxus [at] ChaosReigns> wrote:

> On 02/02, Marc Perkel wrote:
>> Why would you want to catch domains without SPF as SPF has no
>> relationship to detecting spam?
>
> SPF is entirely about spam.

Sorry, but SPF is entirely about ham. We use SPF with vendors who want to
ensure that we receive their mail. They must either provide a valid SPF
policy or use DKIM signing in order to be added to our whitelist. It's
specified in all of the bid documentation.

>
> http://www.openspf.org/Introduction
>
> If everyone uses SPF, all we need to block all spam is these rules
> (SPF_NOT_PASS alone should do it), and a blacklist of domains that have
> SPF records including IPs that send spam.

Spammers will often create a rule like spf=v1 all. That always matches, so
their mail is now SPF compliant. Better to use it for personal
whitelisting, and as an anti-spoofing filter (if it doesn't match our SPF
policy, we didn't send it so it should be considered as SPAM)

> SPF is easy, there's a wizard http://www.openspf.org/, then you paste
> the results into the DNS TXT record for your domain).

Yes, we all know how to set up SPF.

--
Daniel J McDonald, CCIE # 2495, CISSP # 78281

jeff at delphioutpost

Feb 2, 2010, 4:07 PM

Post #7 of 12 (1278 views)
Permalink

Re: Rules for not passing SPF [In reply to]

From: Darxus [at] ChaosReigns
Date: Tue, 2 Feb 2010 18:38:20 -0500

On 02/02, Marc Perkel wrote:
> Why would you want to catch domains without SPF as SPF has no
> relationship to detecting spam?

SPF is entirely about spam.

Actually, SPF is about forgery and forgery is part of the spam problem.
You can still have genuine spam that passes SPF. Messages that get
SPF_FAIL are forged spam and can be scored or blocked.

http://www.openspf.org/Introduction

If everyone uses SPF, all we need to block all spam is these rules
(SPF_NOT_PASS alone should do it), and a blacklist of domains that have
SPF records including IPs that send spam.

Good luck. All you need is to get everybody to use SPF and then have
a very large blacklist of spam sending domains.
http://www.rhyolite.com/anti-spam/you-might-be.html

SPF is easy, there's a wizard http://www.openspf.org/, then you paste
the results into the DNS TXT record for your domain).

SPF is great for what it does.

-jeff

marc at perkel

Feb 2, 2010, 4:53 PM

Post #8 of 12 (1275 views)
Permalink

Re: Rules for not passing SPF [In reply to]

Darxus [at] ChaosReigns wrote:
> On 02/02, Marc Perkel wrote:
>
>> Why would you want to catch domains without SPF as SPF has no
>> relationship to detecting spam?
>>
>
> SPF is entirely about spam.
>
> http://www.openspf.org/Introduction
>
I'm looking at the page and did a search and the word "spam" is not
there. :)

uhlar at fantomas

Feb 3, 2010, 2:33 AM

Post #9 of 12 (1244 views)
Permalink

Re: Rules for not passing SPF [In reply to]

> > On 02/02, Marc Perkel wrote:
> >> Why would you want to catch domains without SPF as SPF has no
> >> relationship to detecting spam?

> On 2/2/10 5:38 PM, "Darxus [at] ChaosReigns" <Darxus [at] ChaosReigns> wrote:
> > SPF is entirely about spam.

On 02.02.10 18:05, Daniel McDonald wrote:
> Sorry, but SPF is entirely about ham.

Neither one. SPF is only about forging. The _only_ thing you can say is that
SPF_FAIL is forged e-mail. You can't say anything about SPF_*_PASS,
SPF_SOFT_FAIL etc.

> We use SPF with vendors who want to
> ensure that we receive their mail. They must either provide a valid SPF
> policy or use DKIM signing in order to be added to our whitelist. It's
> specified in all of the bid documentation.

They _can_ start spamming you. You will only know it's really them who's
spamming. Or, that someone hacked to their servers or DNS.

> > If everyone uses SPF, all we need to block all spam is these rules
> > (SPF_NOT_PASS alone should do it), and a blacklist of domains that have
> > SPF records including IPs that send spam.
>
> Spammers will often create a rule like spf=v1 all. That always matches, so
> their mail is now SPF compliant. Better to use it for personal
> whitelisting, and as an anti-spoofing filter (if it doesn't match our SPF
> policy, we didn't send it so it should be considered as SPAM)

some time ago we were discussing rule penaltying too broad SPF...
"all" should have rule probably (doesn't it yet?)

--
Matus UHLAR - fantomas, uhlar [at] fantomas ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good.

francis+sausers at unchartedbackwaters

Feb 3, 2010, 3:37 PM

Post #10 of 12 (1237 views)
Permalink

Re: Rules for not passing SPF [In reply to]

Ned Slider wrote:

> It's never going to happen. We can't even get half the banks to
> implement measures like SPF or DKIM, and they are getting the hell
> phished out of them and are exactly the type of sector you'd expect to
> be using such measures to prevent spoofing and making it easier for
> their clients to spot forgeries.

Unfortunately, it's never that simple. I notice you also appear to be in
the UK. I wonder if the same observations about SPF and DKIM apply in
the US and elsewhere.

The main issue for banks has always been that of liability. In the US,
banks are governed by 'Regulation E' which places liability with the
bank. If a customer disputes something, it's up to the bank to prove
otherwise. Hence, US banks have a good incentive to implement security
measures.

In the UK, there's only a voluntary code using vague terms such as
'reasonable care'. The introduction of Chip and Pin cards have has the
effect of shifting liability onto the customer as it's far easier for
the bank to argue that if someone else used your PIN, then you failed to
take reasonable care to protect it. Before, the burden of liability
might have been on the merchant or bank, for failing to spot a faked
signature. The introduction of Chip and Pin cards has done far more to
protect the banks than it has the consumer. See [1].

Regardless of whether you're in the UK or US, it's pretty easy to argue
that if you fell for a phishing attack, it was your fault for being
taken in and so banks have very little reason to refund you. Don't
expect banks to make any effort to protect their own customers unless it
directly benefits them.

Francis

[1] "Chip and Spin", Anderson, Bond, Murdoch

francis+sausers at unchartedbackwaters

Feb 3, 2010, 3:50 PM

Post #11 of 12 (1239 views)
Permalink

Re: Rules for not passing SPF [In reply to]

Darxus [at] ChaosReigns wrote:

> If everyone uses SPF, all we need to block all spam is these rules
> (SPF_NOT_PASS alone should do it), and a blacklist of domains that have
> SPF records including IPs that send spam.

You might also want to read this:

http://homepages.tesco.net/J.deBoynePollard/FGA/smtp-spf-is-harmful.html

Whilst I don't agree with all the points on here, at least some of them
are quite significant. The chance of getting everyone to use SPF is
almost nil and I wouldn't be surprised if some mail server admins are
refusing to add even trivial SPF records on principle.

Francis

martin at gregorie

Feb 3, 2010, 4:40 PM

Post #12 of 12 (1236 views)
Permalink

Re: Rules for not passing SPF [In reply to]

On Wed, 2010-02-03 at 23:50 +0000, Francis Russell wrote:
> Darxus [at] ChaosReigns wrote:
>
> > If everyone uses SPF, all we need to block all spam is these rules
> > (SPF_NOT_PASS alone should do it), and a blacklist of domains that have
> > SPF records including IPs that send spam.
>
> You might also want to read this:
>
> http://homepages.tesco.net/J.deBoynePollard/FGA/smtp-spf-is-harmful.html
>
I'm probably regarded as a slacker by that man because I use SPF for one
purpose only - to reduce backscatter. Since the amount of backscatter I
got after setting up SPF for my domain dropped dramatically and has
remained negligible, I deduce it works pretty well for me.

Martin

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads