stuart at bmsi
Jun 25, 2007, 3:13 PM
Post #6 of 6
(1811 views)
Permalink
|
On Mon, 25 Jun 2007, Thomas Jacob wrote:
> > We do the same thing - but in addition to manual policy setting,
> > we track reputation of domain:spfresult. This way, the system
> > auto learns which domains should be reject on neutral, or reject
> > on pass for that matter.
>
> Interesting :-)
>
> And how do you do that, if I may ask?
Pymilter queries the reputation server with cookie assigned to the message:
2007Jun25 17:49:39 Q:orvisnews.com:pass:1:Lc4STKck.WiLGb0EqmXA$Q
2007Jun25 17:49:39 ham: 113, spam: 0
2007Jun25 17:49:39 ID orvisnews.com:pass reputation: 76.159416,10.994643
2007Jun25 17:49:39 PREPEND X-GOSSiP: Lc4STKck.WiLGb0EqmXA$Q,76,10
Reputation server sees that that domain and SPF result has sent 113 hams and
0 spams and reports score of 76 (highest) with confidence 10 (affected
by total messages and timespan).
Pymilter adds header to message:
2007Jun25 17:49:39 [5578] connect from mail.orvisnews.com at ('12.168.118.150', 54443) EXTERNAL
2007Jun25 17:49:39 [5578] hello from mail.orvisnews.com
2007Jun25 17:49:39 [5578] mail from <news [at] orvisnews> ('BODY=8BITMIME',)
2007Jun25 17:49:39 [5578] Received-SPF: Pass (mail.bmsi.com: domain of orvisnews.com designates 12.168.118.150 as permitted sender) client-ip=12.168.118.150; envelope-from="news [at] orvisnews"; helo=mail.orvisnews.com; receiver=mail.bmsi.com; mechanism=mx; identity=mailfrom;
2007Jun25 17:49:39 [5578] X-GOSSiP: Lc4STKck.WiLGb0EqmXA$Q,76,10
2007Jun25 17:49:39 [5578] rcpt to <MAKURAT [at] BMSI> ()
2007Jun25 17:49:40 [5578] Subject: Save on in-season items NOW.
Looks like spam to me, but recipients approves of this newsletter and
does not flag it as spam. Pymilter sends feedback to gossip server that
the message was legit:
2007Jun25 17:49:48 F:Lc4STKck.WiLGb0EqmXA$Q:0
On the other hand, a message comes in from:
2007Jun25 17:43:46 Q:jacobsfam.com:neutral:1:2R8V1yPWsoK.hwVnOA.H3g
2007Jun25 17:43:46 ham: 0, spam: 26
2007Jun25 17:43:46 ID jacobsfam.com:neutral reputation: -76.159416,2.072514
2007Jun25 17:43:46 REJECT X-GOSSiP: 2R8V1yPWsoK.hwVnOA.H3g,-76,2
It is rejected because jacobsfam.com with a neutral result has sent
26 spams and no hams, exceeding my personal (somewhat low :-) ) threshold
for spam tolerance.
This reputation does not affect mail from jacobsfam.com with another
SPF result, like pass (or even softfail).
The effect is that I don't try to assign semantics to the SPF results,
except that I reject on FAIL by default (with manually configured
exceptions for totally braindead senders that I nevertheless need mail from).
I just let their actual message history define what the SPF results mean
in terms of whether I want their mail.
So the arguments over the precise meaning of softfail vs neutral vs pass
are booorrrring at this point. I don't care. Just publish any old SPF record
and I'm happy. Even if you don't publish SPF, I just apply my best_guess
heuristic, and track reputation by that result. Best_guess results
in either pass or neutral tracked as domain:GUESS and domain:neutral.
BTW, I reject on FAIL by default partly as a service to senders. That is after
all a motivation for publishing SPF - to reduce bounced forgeries. The system
would work just as well to let the FAIL result define itself - even an SPF
record that got pass and fail accidentally reversed would work as intended :-)
--
Stuart D. Gathman <stuart [at] bmsi>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com
|
