SPF

Matt Kettler mkettler at EVI-INC.COM
Tue Aug 10 21:19:00 IST 2004


<x-flowed>
At 03:06 PM 8/10/2004, Hirsh, Joshua wrote:
> > 2. MailScanner gets message from Sendmail, passes message to SpamAssassin
> > for processing. SpamAssassin checks SPF records, assign arbitrary negative
> > number (say, -2.0) if SPF records check out ok, otherwise process as
>usual.

>  Personally, I wouldn't assign a negative value to any email with a proper
>SPF record. It's still very easy for a spammer to setup a domain and publish
>SPF records that make all addresses valid. If that happened, the message
>would hit your server and possibly make it through unscathed because of the
>added negative value.

True, but you're still forcing the spammer to actually set-up and use a
domain name instead of joe-jobbing a yahoo.com user in order to gain
benefit from this.

It's also very easy to block these malicious domains, so the spammer would
have to treat them as entirely disposable. Once he/she used it, people
would catch on and  blacklist the domain. If the spammer re-used the domain
on a second run, the drawbacks would greatly outweigh the benefits as a
large quantity of the mail will be easily blocked.

Domains are cheap, but they aren't free. Eventually the "register a new
domain for every spam run" is going to eat away at their bottom line in
terms of time and money. This is actually a very valuable way of beating
spammers.. slowly grind away at their profits until they give up.

It's also very easy to adjust the SPF code to ignore any entire-world
wildcard SPF records, or even check for such things and give it a negative
score, making their work a bit harder.

That and you aren't talking about a particularly large negative score here.
Most FP's I've seen are quite close to 5.0 in score. Most spams are way
over and wouldn't become FNs from a small (-2.0) negative scoring rule.

Of course, SA 3.0 has this by default, but the negative score is tiny, it's
set to -0.001 in 3.0-rc4. So Alex can get his #2 approach out-of-the-box
with SA 3.0 by adding a score line for SPF_PASS to his local.cf:

         score SPF_PASS -2.0

(I myself might opt to do this with a more conservative -1.0 or so)

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
</x-flowed>



More information about the MailScanner mailing list