Michel Bouissou wrote:
The funny thing is that I've seen many "obvious spams from spamming domains"
being rejected with an SPF FAIL. Which means that spammers have set-up SPF
records that do not correspond to the machines from which they send or
forward. Thus they are shooting themselves in the foot ;-)
I've noticed that *many* times, I saw rejections of "SPF failing spam-domains"
come by batches of 3 or 4, in the same minute or so. In such cases, most of
these actually show the same SPF record.
The SPF record thay usually shows for these is:
yesanother.com text "v=spf1 ip4:216.65.64.1/24 ip4:216.65.3.1/24
a:send1.surgeweb.com mx -all"
An example of such a "batch of 3 or 4" is:
Aug 4 19:41:44 reject: RCPT from unknown[80.253.1.54]:
550 <affector(_at_)iloveswindon(_dot_)com>: Sender address rejected: Violation
SPF: [...]
from=<affector(_at_)iloveswindon(_dot_)com> helo=<intelsat.ru>
Aug 4 19:41:58 reject: RCPT from intelsat.ru[80.253.1.52]:
550 <brett(_at_)yesanother(_dot_)com>: Sender address rejected: Violation SPF:
[...]
from=<brett(_at_)yesanother(_dot_)com> helo=<intelsat.ru>
Aug 4 19:42:43 reject: RCPT from atlas.aquitaine.iufm.fr[195.220.161.3]:
550 <knotted(_at_)leaveitwithme(_dot_)com>: Sender address rejected: Violation
SPF: [...]
from=<knotted(_at_)leaveitwithme(_dot_)com> helo=<atlas.aquitaine.iufm.fr>
Aug 4 19:44:33 reject: RCPT from mail.probit.wroc.pl[81.219.229.100]:
550 <blackening(_at_)faberoonie(_dot_)com>: Sender address rejected: Violation
SPF: [...]
from=<blackening(_at_)faberoonie(_dot_)com> helo=<mail.probit.wroc.pl>
These aren't spam-domains, they're domains operated by the mail service
provider another.com (see http://another.com/). They used to do a lot of
freemail stuff too, much like Outblaze, so spammers like using their domains.
I guess that once the effect of the SPF records finally reaches the brains of
the spammers, they'll move on to abuse someone else's domains.
Paul.