On 23/08/12 04:31, Kevin A. McGrail wrote:
On 8/22/2012 8:33 PM, Ned Slider wrote:
So if I hit all mail claiming to be sent from fedex.com that fails SPF
I can easily weed out all the fakes:
# Fedex
header __LOCAL_FROM_FEDEX Return-Path:addr =~ /\@fedex\.com$/i
meta LOCAL_SPF_FEDEX ((SPF_SOFTFAIL || SPF_FAIL) && __LOCAL_FROM_FEDEX)
describe LOCAL_SPF_FEDEX Fedex SPF Fail
and if I want to make sure all the legit fedex mail gets through I can
further whitelist mail from fedex that passes SPF
whitelist_from_spf *@fedex.com
whitelist_from_spf *@*.fedex.com
and that will virtually guarantee all the spam/viruses claiming to be
from fedex are blocked and all the legitimate mail from fedex gets
through. It's no different with banks.
However, this approach doesn't scale particularly well. It's OK for 10
or 20 domains, but for many more it would be far easier to manage
using a plugin.
So really want you want is a plugin that can take a list of domains that
we've verified support SPF using -all and make that a stronger score?
Regards,
KAM
I guess what we are looking for is a plugin that can take a list of
commonly abused domains known to have valid SPF records or valid DKIM
signatures, and to be able to apply a (stronger) score to those messages
that fail the SPF and/or DKIM test.
If it were a plugin then those using email forwarding that breaks SPF
and/or DKIM could easily disable the plugin making the system easy to
manage.
IMHO, talking SPF, it doesn't really matter if it's -all or ~all (hard
or soft fail), here SA isn't making a policy judgement but rather
creating a set of rules that differentiate spam from ham, or in this
case attempting to differentiate mail that really is sent from paypal et
al versus that which isn't (I'm struggling for the correct terminology
here as it really isn't spam vs ham as we really don't care if it's
solicited mail or not, just that it's genuinely sent not fraudulently
sent). In much the same way as SA currently scores SPF_NEUTRAL >
SPF_SOFTFAIL > SPF_FAIL which is the logical reverse of what the policy
suggests, but that is what the corpus scoring model says is more effective.
So just as with the above, the plugin rule should look to be a good
indicator of spam/abuse/fraud/phish or whatever you care to call it
versus mail genuinely sent from these domains.
As an example, paypal.com uses ~all, but I'm going to treat that as a
FAIL in SA the same as I would treat -all.
I guess it comes down to looking closely at a list of domains and
deciding if there is evidence:
(a) that they are commonly abused
and
(b) that they have an SPF and/or DKIM policy that we can leverage to
differentiate legitimate mail from abuse
at which point they would make a suitable candidate for inclusion on the
plugins list of domains.
