Dave Anderson wrote:
On Wed, 22 Apr 2009, jared r r spiegel wrote:
On Thu, Apr 23, 2009 at 12:30:28AM +0000, Stuart Henderson wrote:
I see a tiny little problem with this method... sometimes people send
spam from domains whose DNS they control.
+1
i think part of the success i experience using SPF as a means to create
whitelists is in the fact that i maintain the list of domains i fancy
whitelisting. unfortunately, it would be trivial for someone to take
advantage of an spf-based automatic whitelist to slip right on thru
spamd(8).
it's a pisser.
What might make sense is to alter the script to generate a list of
canditates for whitelisting, but only apply any of them after they are
manually approved.
Or to may be allow to actually have a list that the script cold checked
against to make the changes, witch would achieve the user intended
results and at the same time eliminating the possibility to have one
domain adding it's own records if that's no restricted.
Like yo could create a google.com in the list and that would allow
connection from google being automatically added via the SPF records,
but no others would unless you manually add their name to the allow auto
extension of the SPF name list.
Just a thought, not sure it's the best idea, but that's one way to keep
it automatic like intended to be use.
Daniel