spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Promoting NEUTRAL or SOFTFAIL result to FAIL

2006-02-25 15:39:44
"Hector Santos" <spf-discuss(_at_)winserver(_dot_)com> writes:

Right,

I understand what you mean matching atleast 2 levels to domains (TLD match
level equal 2 atleast).

But I am specifically talking about where the client literally issues:

    HELO/EHLO domain.com
    MAIL FROM: user @ domain.com

and

    MFROM.DOMAIN == HELO.DOMAIN

It is a clear cut voilation if SPF(MFROM) returns anything but a FAIL or
PASS because the client is stating it is inside the secured autorized
sending network.

Not necessarily.  Suppose the domain name is the name of a laptop
computer that sends mail from various IP addresses in addition to it's
primary (main) address.  The laptop's owner might just publish a
record saying:

   v=spf1 ?all

Such a setup is not even as unreasonable as it sounds, if, for
instance, the domain name has MX records pointing to a static mail
server and the sender uses BATV or SES or something to avoid unwanted
bounces.

That said, I wouldn't be surprised to hear that a lot of spammers just
issue the same HELO name as the mail-from domain.  Thus, I can
understand why this rule might catch a lot of spam.

One good thing is that all the information you need to perform your
test should be available in the Received: and Received-SPF headers.
Thus, your suggestion might be an appropriate rule to add to add to a
score-based spam filter like spamassassin.  If your mail server has
been adding Received-SPF (or the older SPF-Received) headers, you
might back-test the rule on an existing corpus to see whether it
reduces the number of false negatives without increasing false
positives.

David

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com