spf-discuss
[Top] [All Lists]

Re: [spf-discuss] SPF records that cover entire IP range

2006-08-14 08:33:40
On Mon, Aug 14, 2006 at 10:14:33AM -0400, Gino Cerullo wrote:
This question came up on the Spamassassin Users mailing list and I  
thought I would ask the experts here what they thought.

How are domains that publish records that cover the entire IP address  
range dealt with.

Example,

"v=spf1 ip4:51.0.0.0/2 ip4:66.0.0.0/2 ip4:145.0.0.0/2 ip4:245.0.0.0/2  
-all"

Good question.

What does the record indicate?  Well, the entire world can send email
using the domain name this record belongs to.  Does it indicate anything
else?  No.  Most importantly, SPF-PASS does not indicate not-spam
(nor the opposite by the way).

From a spamassassin point of view, the record is a clear attempt to
fool filters.  A legitimate record could have been written as "v=spf1 +all".

But be careful when building filter rules.  For instance, nowhere is
it specified that "ip4:192.0.2.1/24" is wrong and "ip4:192.0.2.0/24" is not.
(substitute any ip range here; I am using this range as example only, not
saying 192.0.2.0/24 can be used on the internet).  Similarly, ip4:51.0.0.0/2
is no more wrong than 0.0.0.0/2.


I think in obvious cases like this, it is OK for spamassassin to generate
a high spam score.  But I wouldn't know where to draw the line.  For instance,
what if 'only' half of the IP address space is allowed?  Or a quart?

Is RFC1918 address space inclusion an attempt to fool filters, or is the
person building the record, er..., not so smart?

Not even "+all" is a certain indicator:
"v=spf1 -ip4:128.0.0.0/2 -ip4:193.0.0.0/24 -ip4:194.0.0.0/7
-ip4:196.0.0.0/6 -ip4:200.0.0.0/5 -ip4:208.0.0.0/4 -ip4:192.
.....(and so on, until 192.0.2.0/24 remains)...  +all"

Perhaps the amount of addresses resulting in a PASS would be some kind
of indication for spamassassin.  But does gmail send more spam than aol?

Last but not least: how is spamassassin going to check the following:
"v=spf1 exists:%ir._spf.spammerdomain.example -all"
Is this one address? Two?  Four billion?


If SPF results are to be used for other purposes than SPF was designed for,
the people doing so will have to be very careful when doing so.  When
wrong conclusions are being drawn, you may even hurt SPF.

Maybe spamassassin should leave SPF_PASS and {SPF_NEUTRAL or SPF_NONE} alone.


some more cents,
Alex

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com