From: Stan Hoeppner on 5 Jul 2010 01:58 JunkYardMail1(a)Verizon.net put forth on 7/4/2010 9:53 PM: > What is stupid is to be so opposed to anti spam tools that have no > significant downside. The problem is it has no significant upside either, which is why most sites don't use it as an anti spam measure. Since spammers can simply create an SPF record for their domains such this "v=spf1 +all" a simple "does it have an SPF record" check does nothing to stop the spam, since the above SPF string says every internet address is allowed to send mail on behalf of the domain. So you then must implement some script or code to actually parse the SPF record in an effort to figure out if it's a spammer domain or not. So you parse out "+all" and reject mail from domains having that string. Then the botnet spammers do something sinisterly creative like this "v=spf1 ip4:1.0.0.0/8 ip4:2.0.0.0/8 ip4:223.0.0.0/8 [...] -all" which again allows every IP address to send on behalf of the spammer domain but makes it pretty much impossible to parse and apply rules that firmly identify it as a spammer domain. Spammers may use something similar but with more clever CIDR notation that doesn't break SPF record length rules, etc. I'm not a spammer and have never crafted such a string, but it is possible, and some do it. Now you are absolutely screwed, unless you want to waste the thousands of man hours required to write code to parse these types of records and make an _accurate_ "spammer domain" determination based on these complex SPF records. You are obviously a newbie when it comes to SPF as a spam fighting tool, or spam fighting in general, or you'd have already known these things. There are far more effective anti-spam tools available that are much less error prone, and require far less custom coding to make them work effectively. I've been heavily involved in spam fighting for a few years now, and I've yet to hear of an effective SPF based spam fighting tool. No seasoned SAs I've run into are evangelizing SPF, but the opposite. If you'd like to further your spam fighting eduction, I direct you to Google, NANAE, and spam-l. For every one newbie proponent of SPF as an A/S tool, you'll find 999 seasoned SAs who don't and won't use it as an A/S tool. Amongst seasoned SAs you will find some that use the existence of an SPF record for _scoring only_ in SpamAssassin, but that's about the extent of its use as an A/S tool. -- Stan
From: JunkYardMail1 on 5 Jul 2010 02:31 What is your objection? -------------------------------------------------- From: "John Levine" <johnl(a)iecc.com> Sent: Sunday, July 04, 2010 9:48 PM To: <postfix-users(a)postfix.org> Cc: <JunkYardMail1(a)Verizon.net> Subject: Re: Postfix.org SPF >>Anyone opposed to the postfix.org domain publishing an SPF record? > > Yes. Now, can you go away, please? > > R's, > John, MAAWG senior technical advisor, among other things >
From: JunkYardMail1 on 5 Jul 2010 02:39 Very aware spammers can create their own domains and and SPF records. They can do essentially the same thing with any anti spam measures. And I have see a number of them do just that, an SPF record of entire IPv4 address space (0.0.0.0/0). But guess what, everyone of them has been in an RHSBL. The fact it prevents them from using just any ol domain instead of their own makes it extermely quick and easy for them to get detected and added into the RHSBL's. Requiring an SPF record to publish a domains authorized MTA's is very effective. -------------------------------------------------- From: "Stan Hoeppner" <stan(a)hardwarefreak.com> Sent: Sunday, July 04, 2010 10:58 PM To: <postfix-users(a)postfix.org> Subject: Re: Postfix.org SPF > JunkYardMail1(a)Verizon.net put forth on 7/4/2010 9:53 PM: >> What is stupid is to be so opposed to anti spam tools that have no >> significant downside. > > The problem is it has no significant upside either, which is why most > sites > don't use it as an anti spam measure. Since spammers can simply create an > SPF > record for their domains such this > > "v=spf1 +all" > > a simple "does it have an SPF record" check does nothing to stop the spam, > since the above SPF string says every internet address is allowed to send > on behalf of the domain. So you then must implement some script or code > to > actually parse the SPF record in an effort to figure out if it's a spammer > domain or not. So you parse out "+all" and reject mail from domains > having > that string. Then the botnet spammers do something sinisterly creative > like this > > "v=spf1 ip4:1.0.0.0/8 ip4:2.0.0.0/8 ip4:223.0.0.0/8 [...] -all" > > which again allows every IP address to send on behalf of the spammer > domain > but makes it pretty much impossible to parse and apply rules that firmly > identify it as a spammer domain. Spammers may use something similar but > with > more clever CIDR notation that doesn't break SPF record length rules, etc. > I'm not a spammer and have never crafted such a string, but it is > possible, > and some do it. > > Now you are absolutely screwed, unless you want to waste the thousands of > man > hours required to write code to parse these types of records and make an > _accurate_ "spammer domain" determination based on these complex SPF > records. > > You are obviously a newbie when it comes to SPF as a spam fighting tool, > or > spam fighting in general, or you'd have already known these things. There > are > far more effective anti-spam tools available that are much less error > prone, > and require far less custom coding to make them work effectively. I've > been > heavily involved in spam fighting for a few years now, and I've yet to > hear of > an effective SPF based spam fighting tool. No seasoned SAs I've run into > are > evangelizing SPF, but the opposite. > > If you'd like to further your spam fighting eduction, I direct you to > Google, > NANAE, and spam-l. For every one newbie proponent of SPF as an A/S tool, > you'll find 999 seasoned SAs who don't and won't use it as an A/S tool. > Amongst seasoned SAs you will find some that use the existence of an SPF > record for _scoring only_ in SpamAssassin, but that's about the extent of > its > use as an A/S tool. > > -- > Stan
From: "John R. Dennison" on 5 Jul 2010 02:43 On Sun, Jul 04, 2010 at 11:31:03PM -0700, JunkYardMail1(a)Verizon.net wrote: > What is your objection? For the love of $deity *STOP* top-posting. Thank you. You wanted an objection? There it is. John -- "Thinking implies disagreement; and disagreement implies non-comformity; and non-comformity implies heresy; and heresy implies disloyality -- so obviously thinking must be stopped" [Call to Greatness, 1954] -- Adlai Stephenson
From: JunkYardMail1 on 5 Jul 2010 03:03 That is what I thought. You really don't have an objection or case to back it up so reveal your true nature by attacking with personal criticism rather than sticking to the subject matter and making your case. -------------------------------------------------- From: "John R. Dennison" <jrd(a)gerdesas.com> Sent: Sunday, July 04, 2010 11:43 PM To: <JunkYardMail1(a)Verizon.net> Cc: <postfix-users(a)postfix.org> Subject: Re: [Postfix-Users] Re: Postfix.org SPF
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 5 Prev: Connection Refused on Port 25 Next: Postfix 2.7 for RHEL 5? |