Hi all,
I'm running a mail server for a couple of small domains. Last week I added SPF
support to a W2K SMTP service sink I wrote some time ago. As expected, the
number of returned SPF records is very low at this time so I queried a local
DNS based whitelist containing SPF records for domains that contact us. Because
of the limited amount of e-mail we get, I can manually check the logs and add
"unknowns" to this local whitelist. However, the policy I use is slightly
different from what's proposed using Mail::SPF::Query.
All checks are done at "RCPT TO:" so a per user policy can be enforced.
1) The helo/ehlo name is checked against a static list. Someone claiming to be
"aol.com" or "compuserve.com" is rejected immediately.
2) An IP-address in helo/ehlo is only accpeted if it matches the remote
IP-address.
3) Lookup the remote IP-address in various DNSBL.
4) Lookup the remote IP-address in a local DNSBL, the result of this is used:
- to specifically blacklist/whitelist an IP-address
- as a CNAME that helps domains with rDNS problems
5) Reverse lookup of remote IP-address if (4) didn't return a CNAME. If this
fails and the helo/ehlo name looks like a FQDN then a forward lookup is done on
that name. If this matches the remote IP, the helo/ehlo is used as the PTR
domain and is optionally registered with a CNAME in the local DNSBL.
6) The SPF policy record for the sender domain is evaluated (NO best_guess).
7) If the result is "none" or "unknown", redirect query to
%{s(_at_)}(_dot_)spf(_dot_)local(_dot_)
- this local lookup returns "v=spf1 mx:%{o}/24 a:%{o}/24
include:spf.trusted-forwarder.org ?all" by default.
- big domains like yahoo, hotmail, compuserve,... have an entry in this zone
like "v=spf1 ptr:something -all"
- smaller domains have a more conservative entry, like "v=spf1 include ?all"
or "+all"
8) If the SPF result still evaluates to "unknown", the connection fails with a
"451 please try again later" error. This gives me some time to check the logs
and enter the SPF record manually.
I'm using this scheme for almost a week now and the results are very promising.
It only let a few spams slip thru (nailed by SpamAssassin though ;) because of
the initial "ptr" mechanism in the default (best_guess) response.
The big problem I see is in those zillion very small domains that use a
different provider for their incoming and outgoing mail. Most ISP's so far pass
the default mx/24 a/24 test.
Is this an acceptable use of SPF or are there some major drawbacks in
processing incoming e-mail this way?
Best regards,
Dirk
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦¾Øß´ëù1Ií-»Fqx(_dot_)com