We (and our customers) have been bombarded by a boatload of German spam.
One characteristic of this spam is that the (forged) MAIL FROM is always a
domain with an SPF record that returns NEUTRAL for the zombies IP. It is
as if the zombie program screens potential forged MAIL FROMs to ensure
that they have an SPF record and won't get a FAIL.
I already reject NEUTRAL for commonly forged domains (e.g. aol.com), but
this new attack may lead to rejecting NEUTRAL results across the board.
Comments? (Other than noting that the draft RFC says NEUTRAL MUST BE
treated the same as NONE. My MTA, my rules.)
Oh, ironically, the most popular forged domain with a NEUTRAL result
is pobox.com. :-) Apparently, pobox.com redirects to a user specific
SPF record. So all a spammer has to do is sign up, create an
SPF record for their account of 'v=spf1 ?all', and spam away with
a mail from domain of pobox.com.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.