Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SPF: Discuss

limit ip-range for "pass" elements

 

 

SPF discuss RSS feed   Index | Next | Previous | View Threaded


libspf2.org at wojtus

Nov 7, 2009, 11:45 AM

Post #1 of 4 (1580 views)
Permalink
limit ip-range for "pass" elements

Hello,

Sometimes I meet a badly configured SPF entries for domains, which
contain "+all" elements. I've also met a domain with entry like
this:

ip4:0.0.0.0/2 ip4:64.0.0.0/2 ip4:128.0.0.0/2 ip4:192.0.0.0/2

Looks like spammers are using such domains (or maybe even creating
them) to get extra anti-spam scores for their mailings.

I think some countermeasures might be introduced into libspf.

My concept is a configurable limit for class bits (eg. 16, 20 bits)
which would transfer the "pass" element to "neutral" state if the IP
class size is exceeded.


--
Wojtu¶.net


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


scott at kitterman

Nov 7, 2009, 11:55 AM

Post #2 of 4 (1513 views)
Permalink
Re: limit ip-range for "pass" elements [In reply to]

On Sat, 7 Nov 2009 20:45:25 +0100 Wojciech Scigala <libspf2.org [at] wojtus>
wrote:
>Hello,
>
>Sometimes I meet a badly configured SPF entries for domains, which
>contain "+all" elements. I've also met a domain with entry like
>this:
>
>ip4:0.0.0.0/2 ip4:64.0.0.0/2 ip4:128.0.0.0/2 ip4:192.0.0.0/2
>
>Looks like spammers are using such domains (or maybe even creating
>them) to get extra anti-spam scores for their mailings.
>
>I think some countermeasures might be introduced into libspf.
>
>My concept is a configurable limit for class bits (eg. 16, 20 bits)
>which would transfer the "pass" element to "neutral" state if the IP
>class size is exceeded.
>
I think you are attacking the problem from the wrong end.

I think you should take note of such domains and mark all mail from them as
bad. This should be done at the application level, not in the library.

It's a good thing the spammers are telling you about a bad domain.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


libspf2.org at wojtus

Nov 7, 2009, 12:25 PM

Post #3 of 4 (1514 views)
Permalink
Re: limit ip-range for "pass" elements [In reply to]

On Sat, Nov 07, 2009 at 02:55:30PM -0500, Scott Kitterman wrote:

> I think you should take note of such domains and mark all mail from them as
> bad. This should be done at the application level, not in the library.
>
> It's a good thing the spammers are telling you about a bad domain.
Well, I don't think that's a good approach. Firstly, that would need
a double, independent checking of SPF record (by libspf and
application). Secondly, numbers of these domains are hard to
estimate and maybe it would need a RBL-like solution.

Also, keep in mind that a spammer does not need to have any access
to the domain to abuse it's wrong SPF code.


--
Wojtu¶.net


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com


scott at kitterman

Nov 7, 2009, 12:33 PM

Post #4 of 4 (1516 views)
Permalink
Re: limit ip-range for "pass" elements [In reply to]

On Sat, 7 Nov 2009 21:25:17 +0100 Wojciech Scigala <libspf2.org [at] wojtus>
wrote:
>On Sat, Nov 07, 2009 at 02:55:30PM -0500, Scott Kitterman wrote:
>
>> I think you should take note of such domains and mark all mail from them
as
>> bad. This should be done at the application level, not in the library.
>>
>> It's a good thing the spammers are telling you about a bad domain.
>Well, I don't think that's a good approach. Firstly, that would need
>a double, independent checking of SPF record (by libspf and
>application). Secondly, numbers of these domains are hard to
>estimate and maybe it would need a RBL-like solution.
>
>Also, keep in mind that a spammer does not need to have any access
>to the domain to abuse it's wrong SPF code.
>
True, but it takes DNS access to publish such a record, so that's probably
good enough for me.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

SPF discuss RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.