spf-discuss
[Top] [All Lists]

Re: Turning raw data into useful stats

2005-06-28 08:39:36
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David MacQuigg wrote:
At 10:15 PM 6/27/2005 -0700, Greg Connor wrote:

I am in possession of a large amount of raw data, and I would like to
turn it into something useful.

My goals are:

1. Gather some statistics about how spam is currently being handled.
2. Evaluate whether using SPF would help.  I would like to start using
SPF to reject incoming email, but first I need to show management that
we have a reasonable idea of what will happen, and we have identified
forwarding sources that should be whitelisted.
3. Provide real, useful data back to other interested parties
regarding how well SPF works (or might work, if applied to our
incoming mail).

Here is the scenario.  My company receives about 3.5M email
transactions per day.  Majority of these are blocked by RBL, and other
methods, and only about 7% are allowed past the first mailer (roughly
200K/day).  But, I have other data that suggests the real, non-abusive
email is closer to 20K/day, so I would really like to get our current
7% number down to less than 1%. Not an easy task.

The edge mailers are not smart enough to process SPF yet.  (Actually
an SPF switch exists but their implementation is known to have some
problems and can't be adjusted, whitelisted, etc.  This is an
appliance box.)  Most important, their implementation of SPF doesn't
allow for logging only, the only choice is to reject.


This raises a serious question - If many domains use these "appliance
boxes" as their border MTAs, how can we expect *any* IP authentication
method to work?  Are we expecting these appliances to be replaced by
general-purpose MTAs?  I assume there is no chance of modifying their
proprietary software.

...

The border MTA is the one that needs to do the check for best effect.
However: if the border MTA provides useful Received-From headers
they can be used for post-SMTP verification. This is sub-optimal
in so many ways, but is better than nothing I suppose.

- --
Daniel Taylor



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCwW848/QSptFdBtURAlYoAJ42PWhzfz3OCi0OHln/YBxImRzSfACeN9Sg
EbEX5gEZlqgLo9pI1WB0jKw=
=x8mw
-----END PGP SIGNATURE-----