OT: SPF comments requested

Mark Nienberg mark at TIPPINGMAR.COM
Sat Dec 18 19:05:14 GMT 2004


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Steve Campbell wrote:

>I'm not sure if the SPF thing is something all of us should be dealing with
>_now_, but if we all should be updating our DNS records, I'd like to hear
>about some ideas from the list. I have gleaned as much as I can absorb from
>all of the different sites required to explore implementing SPF, and I'm
>still not sure how to use it other than setting up my DNS so others can use
>it.
>
>As I understand this, I have many options on how to use it for our
>protection. Much like RBLs, I can set this up in Sendmail, or use the SPF
>functions of SA, and probably a few more. And the same reasons for deciding
>this are basicly the same as for using RBLs.
>
>If anyone would like to comment to me off-list to keep the clutter out of
>the archives, I would really like to hear opinions, experiences, and any
>other words of wisdom about the best way to implement this SPF thing and it
>current importance. Such things as "Is the SA modules really sufficient for
>blocking", and the like would be along the lines I require.
>
>
OK. I'm opinionated.

Roughly in order or importance:

1. Publish an SPF record for your domain.  This will allow me to reject
mail from spammers claiming to be you.
2. Upgrade to the latest MailScanner.  It has a bugfix related to SPF
checks.
3. Watch your logs, etc. to see if you are receiving legitimate mail
from your regular correspondents with SPF_FAIL.  If so, contact the
admins of those domains so they can correct their problems.
4.  Once you have some confidence in it, increase the score of SPF_FAIL
in SpamAssassin.  In my experience, it is ridiculously low by default,
and I see a much higher correlation between SPF_FAIL and spam than the
SA developers see in their test spam corpus.  I also expect it to
continue rising as more admins deploy it and correct their errors.
5. Eventually, maybe move to a system of rejecting mail at the MTA level.

Note that step 1 above requires that you know where all of your mail
originates.  If you have roaming users or home workers, etc., you need
to set up a way for them to send mail through one of your approved
servers.  You don't want them sending through their ISP's with your
domain as the envelope, or their messagges may be rejected at the
recipients' servers.

If an e-mail administrator publishes an SPF record with "-all" in it, he
or she is telling you to reject mail that claims to come from his or her
domain, unless it comes from one of the approved servers.  So I think we
should do just that.

Mark Nienberg

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list