I think that this style of use is a prime case for using a rate-limiting
setup. How does this work?
1 You decide your policy -- do you want to allow people to use random IP
addresses to send mail from your domain, but no more than 50/day per
sending IP address? Or maybe 50/day/user per IP address [Note that this
is easy for spammers to get around]
2 Implement a rate limiting spf-dns server. I have a prototype at
http://pond.gladstonefamily.net/server.pl [You do not want to run this
without looking at it, and thinking about it, and getting some support
files]
3 Add a mechanism like -exists:%{i}.50/86400.rate.%{d}
Whenever your standard mechanisms do not pass the message, then SPF will
roll into the exists check. This will cause the spf-dns server to be
queried. It will see if the number of queries for that DNS record
exceeds (on average) 50 per 86400 seconds. If so, then it returns an A
record, otherwise NXDOMAIN.
The downside is that, in the early days, since few people are doing SPF
checking, most messages will not trigger SPF checks, hence you are
unlikely to get to 50 per day even for a hardened spammer. However, this
should change soon.
Hope this helps
Philip
Matt wrote:
Greetings,
Question on this whole SPF thing.
I'm interested in it but have a slight issue with it at the moment that
I'd like to get resolved.
My domain is: mydomain.com
Customer A is traveling and is using his e-mail of joe(_at_)mydomain(_dot_)com
However, I do IP filtering on my mail server (not SASL AUTH), for my
dial-up pools.
When Customer A is at hotel he must use their mail server to send mail
out, so his mail will be rejected because the hotel mail server isn't
listed in mydomain.com's SPF txt list.
You suggest running SASL AUTH as a work around for this, however in my
experience this creates MORE of a spam problem then not using SPF..
here's why:
On a mail server with over 40,000 users it's relitively easy for someone
with a password cracker to hammer away at common names like 'joe'
'jeffp', etc and try to get some passwords. Once they have a
username/password combo they can happily send e-mail out as that user
through MY mail server, and I can't do anything about them. Doing IP
filtering requires that they are on MY network to send mail through MY
server, thus allowing me to terminate/prosecute/etc the person.
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡