Ruleset to lock domain to IP address
Matt Kettler
mkettler at evi-inc.com
Wed Oct 25 23:12:36 IST 2006
Glenn Steen wrote:
> On 25/10/06, Pravin Rane <pravin.rane at gmail.com> wrote:
>> Use SPF :)
>>
SPF is useless for the original poster's problem. He's worried about limiting
the source of all mail TO a domain.
SPF is useful for limiting the source of all mail that claims to be FROM a domain.
> .... I'm not sure I like SPF anymore... Or rather, the same tired old
> thing... Bad admin (decisions) defeating its purpose. Like when UBS
> has this unmoderated and (obviously) unprotected mailing-list (open
> for anyone to use), that is protected by SPF... Sigh.
>
What's wrong with that?
Anyone who expects SPF to be a spam control measure is doomed to be
disappointed, probably in short order. It's a forgery control technology, not a
spam control technology. Period.
As you've seen, anyone can create a giant "SPF hole", either by SPFing a
unmoderated list, or by just creating a SPF record that passes everything. But
that's OK. This doesn't break SPF the purpose of SPF.
The purpose of SPF isn't to identify "good" messages, it's just to rule some of
them as "definitely bad" (ie: forged).
In the general case, there's nothing about passing SPF that tells you anything
useful you can act on. ie: you can't consider a message that passed SPF to be
nonspam, or even less likely to be spam, and you should treat it the same as any
other message.
Only failing SPF is useful enough to act on. At that point you know the owner of
the domain believes this message is forged and not properly sent by an
authorized host for his domain.
So really when interpreting SPF by itself, you should treat "pass" more-or-less
the same as "no record at all". (And this is why SA handles it as such. -0.001
for SPF_PASS is little different from 0 for no record)
Now, if you truly trust a particular domain, then you can trust their SPF. So
for these cases, you can do things like use SA's whitelist_from_spf on them. But
you'd never be able to do this in any kind of general sense. Any spammer could
exploit it by creating a "pass all" SPF record.
More information about the MailScanner
mailing list