Le jeudi 5 Août 2004 09:14, Graham Murray a écrit :
"Alan DeKok" <aland(_at_)ox(_dot_)org> writes:
e.g. I've talked to people who say that 90% of the SPF records they
see are from spammers.
That is certainly not what I am seeing here.
To advance the discussion with some real-life example, you will find below the
list of domains for which my (relatively low-traffic) personal server has
received a "MAIL FROM:" in the last days (for any kind of messages, either
legitimate or spam or forged), and that DO have an SPF record.
Some of these domains are known spamming domains. Others obviously look like
spammer throwaway domains. But many are also perfectly legitimate domains.
The funny thing is that I've seen many "obvious spams from spamming domains"
being rejected with an SPF FAIL. Which means that spammers have set-up SPF
records that do not correspond to the machines from which they send or
forward. Thus they are shooting themselves in the foot ;-)
I've noticed that *many* times, I saw rejections of "SPF failing spam-domains"
come by batches of 3 or 4, in the same minute or so. In such cases, most of
these actually show the same SPF record.
The SPF record thay usually shows for these is:
yesanother.com text "v=spf1 ip4:216.65.64.1/24 ip4:216.65.3.1/24
a:send1.surgeweb.com mx -all"
An example of such a "batch of 3 or 4" is:
Aug 4 19:41:44 reject: RCPT from unknown[80.253.1.54]:
550 <affector(_at_)iloveswindon(_dot_)com>: Sender address rejected: Violation
SPF: [...]
from=<affector(_at_)iloveswindon(_dot_)com> helo=<intelsat.ru>
Aug 4 19:41:58 reject: RCPT from intelsat.ru[80.253.1.52]:
550 <brett(_at_)yesanother(_dot_)com>: Sender address rejected: Violation SPF:
[...]
from=<brett(_at_)yesanother(_dot_)com> helo=<intelsat.ru>
Aug 4 19:42:43 reject: RCPT from atlas.aquitaine.iufm.fr[195.220.161.3]:
550 <knotted(_at_)leaveitwithme(_dot_)com>: Sender address rejected: Violation
SPF: [...]
from=<knotted(_at_)leaveitwithme(_dot_)com> helo=<atlas.aquitaine.iufm.fr>
Aug 4 19:44:33 reject: RCPT from mail.probit.wroc.pl[81.219.229.100]:
550 <blackening(_at_)faberoonie(_dot_)com>: Sender address rejected: Violation
SPF: [...]
from=<blackening(_at_)faberoonie(_dot_)com> helo=<mail.probit.wroc.pl>
Now for the list of SPF-enabled domains MAIL FROM: that my personal server has
seen in the last days. Make your own mind about which of these are
legitimate, and which are spammers' ;-)
121mailoffers.com
121mailoffers.net
126.com
12.com
12inch.com
163.com
1cooloffers.com
573dls.com
abso-bloody-lutely.com
abv.bg
access-one.com
ac-montpellier.fr
acsinc.net
adelphia.net
adlikon.ch
alsation.com
altn.com
another.com
antihunt.com
aol.com
arboi.fr.eu.org
arsenal-fanatic.com
arvelh.com
asiacontent.com
aspware.net
bellatlantic.net
bellsouth.net
bigbgns.com
bloody-minded.com
bluebell.saar.de
blueyonder.co.uk
bol.com.br
bugzilla.spamassassin.org
carteblache.com
c.dk
charente.de
club-internet.fr
comedycottage.com
csoft.bg
dailydiscounts121.com
dartmail.net
dbc.mtview.ca.us
did-the-earth-move.com
dieboerse.de
dlznstlz.com
DNSreport.com
duo.quattro.co.za
e123discounts.com
earthlink.net
edailydiscounts.com
edt02.net
email.ro
erldls.com
eskimo.com
faberoonie.com
flashmail.com
froffers.com
garlic.com
gc.net
getgrtdeals.com
getronics.com
gmail.com
gmx.at
gmx.net
google.com
gorillanation.studiostore.com
grtdeals.com
handinhand.co.uk
hushmail.com
idcj.com
iet.hist.no
ilikeaeroplanejelly.com
i-love-ayr.com
iloveswindon.com
inbox.ru
incredimail.com
interia.pl
irislink.com
ism.com.br
iwantanother.com
kendra.com
kolumbus.fi
leaveitwithme.com
listbox.com
list.ru
lists.sourceforge.net
mail.com
mail.ru
mediascape.de
mycooloffers.com
narod.ru
nass.com.au
nastypieceofwork.com
nessus.org
nls.net
nordnet.fr
nytimes.com
ourcooloffers.com
paregos.se
petersen.mail.dk
playingcupid.com
pobox.com
pop.com.br
puk.ac.za
real.com
regularflow.com
reply.mb00.net
rldls.com
rog.de
sergeant.org
seznam.cz
skymail.fr
snark.thyrsus.com
snogtastic.com
soter.com.br
speed.net
symantec.com
testmail.com
theonering.net
trans-it.de
tv2lorry.dk
unicode.org
uol.com.br
uptodata.com
usbank-email.com
v2.listbox.com
verizon.net
vip.163.com
weezing-fan.com
wonderware.com
world-foundation.org
xmailserver.com
xyzdeals.com
yandex.ru
yeah.net
yesanother.com
zipmail.com.br
zzapp.org
--
Michel Bouissou <michel(_at_)bouissou(_dot_)net> OpenPGP ID 0xDDE8AC6E