Re: Postfix.org SPF

Sun, 04 Jul 2010 23:39:33 -0700

Very aware spammers can create their own domains and and SPF records. They can do essentially the same thing with any anti spam measures. And I have see a number of them do just that, an SPF record of entire IPv4 address space (0.0.0.0/0). But guess what, everyone of them has been in an RHSBL. The fact it prevents them from using just any ol domain instead of their own makes it extermely quick and easy for them to get detected and added into the RHSBL's.
Requiring an SPF record to publish a domains authorized MTA's is very effective. 

--------------------------------------------------
From: "Stan Hoeppner" <s...@hardwarefreak.com>
Sent: Sunday, July 04, 2010 10:58 PM
To: <postfix-users@postfix.org>
Subject: Re: Postfix.org SPF


junkyardma...@verizon.net put forth on 7/4/2010 9:53 PM:

What is stupid is to be so opposed to anti spam tools that have no
significant downside.



The problem is it has no significant upside either, which is why most 
sites
don't use it as an anti spam measure.  Since spammers can simply create an 
SPF

record for their domains such this

"v=spf1 +all"

a simple "does it have an SPF record" check does nothing to stop the spam,

since the above SPF string says every internet address is allowed to send 
mail
on behalf of the domain.  So you then must implement some script or code 
to

actually parse the SPF record in an effort to figure out if it's a spammer

domain or not.  So you parse out "+all" and reject mail from domains 
having
that string.  Then the botnet spammers do something sinisterly creative 
like this


"v=spf1 ip4:1.0.0.0/8 ip4:2.0.0.0/8 ip4:223.0.0.0/8 [...] -all"


which again allows every IP address to send on behalf of the spammer 
domain

but makes it pretty much impossible to parse and apply rules that firmly

identify it as a spammer domain.  Spammers may use something similar but 
with

more clever CIDR notation that doesn't break SPF record length rules, etc.

I'm not a spammer and have never crafted such a string, but it is 
possible,

and some do it.


Now you are absolutely screwed, unless you want to waste the thousands of 
man

hours required to write code to parse these types of records and make an

_accurate_ "spammer domain" determination based on these complex SPF 
records.



You are obviously a newbie when it comes to SPF as a spam fighting tool, 
or
spam fighting in general, or you'd have already known these things.  There 
are
far more effective anti-spam tools available that are much less error 
prone,
and require far less custom coding to make them work effectively.  I've 
been
heavily involved in spam fighting for a few years now, and I've yet to 
hear of
an effective SPF based spam fighting tool.  No seasoned SAs I've run into 
are

evangelizing SPF, but the opposite.


If you'd like to further your spam fighting eduction, I direct you to 
Google,

NANAE, and spam-l.  For every one newbie proponent of SPF as an A/S tool,
you'll find 999 seasoned SAs who don't and won't use it as an A/S tool.
Amongst seasoned SAs you will find some that use the existence of an SPF

record for _scoring only_ in SpamAssassin, but that's about the extent of 
its

use as an A/S tool.

--

Stan 

























					Reply via email to