spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] should SPF checks be before or after RBL

2006-10-03 09:37:19
from [Stuart D. Gathman] [Permanent Link] 
On Tue, 3 Oct 2006, wayne wrote:


In 
<Pine(_dot_)LNX(_dot_)4(_dot_)44(_dot_)0610030939070(_dot_)21313-100000(_at_)bmsred(_dot_)bmsi(_dot_)com>
 "Stuart D. Gathman" <stuart(_at_)bmsi(_dot_)com> writes:



OTOH, I need an SPF PASS result (real or guessed) before I can safely
auto-blacklist domains that send spam to random recipients.


I'm not sure what you are saying here Stuart...

While I can see wanting an SPF Pass before deciding whether the domain
should be blacklisted or not, I can't see a reason to not immediately
reject a domain that has been blacklisted.

If a domain is known to send mostly good email, then I can see having
an SPF Pass override some other anti-spam checks.

However, if a domain is known to send spam, then I doubt that anyone
who forges that domain would be *less* likely to spam than the domain
itself.  So, whether the spammy domain passes or not is irrelevant.


Short answer: dictionary attacks

Long answer: Take it in context.  The point was that I am going to check SPF
*anyway* (so I can blacklist the domain instead of IP if possible) if they are
sending to random RCPTs.  So it doesn't save anything to check during/after
RCPT.  BUT, if you wait until RCPT, then you have to keep rejecting recipients.
(Or ditch SMTP and just hang up on the caller.)


I guess I still don't see why it wouldn't be better to see if you
received a valid RCPT TO before doing any SPF or DNSBL checks.


In many applications (e.g. not aggressively blacklisting like I am),
it could be better after RCPT (depending on how many connections are
dictionary attacks).  I am just saying that it is not cut and dried, and
depends on the application.

Another wrinkle is an idea I've had recently: randomly select some
of the spam to random RCPTs to train the bayes filter.  In that case, you
would skip SPF on the selected connections.  I'm a big fan of proactive
filter training.  Forwarding/marking spam is a drag.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] should SPF checks be before or after RBL, wayne
Next by Date:  Re: [spf-discuss] should SPF checks be before or after RBL, william(at)elan.net
Previous by Thread:  Re: [spf-discuss] should SPF checks be before or after RBL, wayne
Next by Thread:  Re: [spf-discuss] should SPF checks be before or after RBL, Daniel Wiberg
Indexes:  [Date] [Thread] [Top] [All Lists]