On Sep 13, 2004, at 1:39 PM, Kelson wrote:
You're misunderstanding. The suggestion was to take spam that passed SPF, look for the other servers listed in that SPF record, and add those servers to a blacklist.
1. Spam comes in from dirtbag.tld via mail.dirtbag.tld
2. SPF record for dirtbag.tld lists both mail.dirtbag.tld and mail.yahoo.com as valid senders (even though they can't actually send through Yahoo): "v=spf1 a:mail.dirtbag.tld a:mail.yahoo.com -all"
3. Your mail server recognizes that (a) it's spam, and (b) it passes SPF.
4. As per the original suggestion, check that SPF records for blacklist material, and you add mail.dirtbag.tld and mail.yahoo.com to your blacklist.
5. Next time mail comes in from mail.yahoo.com, it's blocked.
Of course, there's no reason for spammers to put bogus info in their SPF records *unless* people do this, since if people use it as designed, it won't gain them anything. Although I can see them just putting up "v=spf1 +all" at least short-term so that they can use their usual zombie networks, though at least they'd have to use their own addresses and deal with the bounces themselves.
Kindest regards,
Ron
"What shall we do? What shall we do?" he cried, "Escaping goblins to be caught by wolves!" - Bilbo Baggins
The Hobbit by J. R. R. Tolkein http://www.apple.com/trailers/newline/returnoftheking/trailer_large.html
