spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Question on a unified policy record approach

2005-09-07 23:39:37
from [Stuart D. Gathman] [Permanent Link] 
On Wed, 7 Sep 2005, Leonard Mills wrote:


From: "Seth Goodman" <sethg(_at_)GoodmanAssociates(_dot_)com>
Sent: Wed, 7 Sep 2005 15:38:49 -0500 (20:38 UTC)



The practical question is how many
hosts that fail FCrDNS but pass a forward lookup on the EHLO FQDN are not
legitimate mailers?


Based on private spam complaints from some users
who procmail using sendmail's "(may be forged)"
indication of this situation, it seems to be
the great majority, at least for emails that we
allow though our gateways which have passed
through all of our checks (including DUL-based 
filtering).

Totally non-scientific, but those vocal users report 
that they haven't yet quarantined a desired email
as a result of that rule, and are pushing to have 
the rule applied globally. I'm still resisting that.


If the EHLO FQDN passes, then you can keep a blacklist of spam
EHLO domains.

Alternatively, you can skip the PTR check when the sender publishes
SPF, and blacklist MFROM domains.

That is the purpose of authentication.  Not to detect spam, but to
prevent forgery so that abusers can be safely blacklisted.

If the A record for an EHLO FQDN matches the connect IP, it is safe
to say the the EHLO domain was not forged.  

On my system, I require valid PTR, valid EHLO, OR SPF neutral/pass.
If I made that AND - very little legitimate mail would get through.
By requiring SOME kind of ID, whether PTR, EHLO, or SPF, most of the
zombies are killed in the envelope.

Whether the validated domain comes from PTR, EHLO, or SPF, it is
still subject to blacklisting.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] An Open Letter to SPF Council, Julian Mehnle
Next by Date:  Re: [spf-discuss] Is SRS really necessary?, Julian Mehnle
Previous by Thread:  Re: [spf-discuss] Question on a unified policy record approach, Leonard Mills
Next by Thread:  Re: [spf-discuss] Question on a unified policy record approach, paddy
Indexes:  [Date] [Thread] [Top] [All Lists]