OT: SPF was Re: Annoying!!! [ + dns lookups]

Ken A ka at pacific.net
Wed Nov 22 16:07:34 GMT 2006

Steve Freegard wrote:
> Brent Addis wrote:
>> Many companies drop email coming from hosts that aren't listed as an 
>> address in a valid spf record, so they don't bounce back to you. Of 
>> course they still accept mail without any spf record assigned to it, 
>> but i'm sure that'll stop oneday.
>> http://www.openspf.org/wizard.html?mydomain=&x=0&y=0 has a wizard for 
>> it. It gets inserted into your dns records.
> Let me go on record saying that I *hate* that wizard...
> It defaults records to ~all (if SPF record doesn't match return 
> SOFTFAIL) or ?all (if SPF record doesn't match return NEUTRAL), it does 
> *not* give the option of -all (if SPF record doesn't match return FAIL) 
> at all.
> The only time you can *safely* reject mail at SMTP time is if the SPF 
> result == Fail (-all), all other states e.g. softfail, neutral and pass 
> are only useful for more expensive content checking such as SpamAssassin...
> SPF Pass - can be useful when used with 'other' tests, although I've 
> seen a lot of spam domains set-up SPF records with a '+all' (return Pass 
> if the SPF record doesn't match) that try and take advantage of this. 
> Because I think '+all' is both useless and evil, I downgrade this to 
> 'Neutral' on my systems...
>> Be warned though, if you have remote users, they will have to use a 
>> server within your spf realm for sending mail.
> Yes - especially true if you set -all or ~all in your SPF record, if you 
> use ?all then it really doesn't matter.
>> I would recommend turning off the catchall too.
> Yes - catch-alls are evil.
> On my spam trap I set a SPF record of 'v=spf1 mx -all' and reject any 
> SPF fail at SMTP time, currently I don't get brilliant results with 
> this, but I do get some:
> Out of 49,630 senders - 1,331 were rejected due to SPF fail, most of 
> these I suspect were due to spammers trying to send in junk by forging 
> my own domain.  These numbers might be higher if I reduced some of the 
> other pre-DATA rejections on this box.
> Cheers,
> Steve.

Careful with spf. We do a lot of dns lookups for every piece of spam. 
Spammers control the lookups to some extent and the more lookups your 
systems do, and the kind of lookups they do, the more popular a 
reflector/amplifier you are for DNS based attacks.
Have a nice, safe, Happy Thanksgiving! :-)
Ken A

More information about the MailScanner mailing list