spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Re: SPF queries by a newbie

2006-11-13 10:03:32
On Mon, 13 Nov 2006, Julian Mehnle wrote:

I wonder if there is complete solution to spam, which checks upon
connection to the MX and does Reject 554 at the SMTP level if certain
checks fail before the email ever really enters the MX propper?

I'll leave it for others to explain how that can be easily accomplished 
with modern MTAs using various tools such as SpamAssassin, DNS reputation 
black-lists, etc.

Here is another example, the complete solution I use is pymilter
[http://pymilter.sourceforge.net].  This uses sendmail (or postfix)
with milter API and a python script.

Briefly, it checks SPF on incoming mail.  It notes recipients
on outgoing email, and any incoming SPF pass that matches an outgoing
rcpt to is whitelisted.  That delivers all regular correspondents
email that publish SPF with no fuss.  Before checking SPF, blacklisted
domains and IPs are rejected.

For non-SPF correspondents (or lame ?all or ~all policies), 
some heuristics are applied.  E.g., SPF none is converted to a
guessed neutral or pass by applying the guessed policy "v=spf1 a/24 mx/24 ptr".
A guessed pass proceeds to the above.

If we don't have a pass yet, we check whether either the rDNS (PTR)
or HELO name is valid.  If neither is valid, we reject the connection.
(Many ISPs reject on invalid rDNS alone, but that policy is unfair
to small domain owners don't always have access to an ISP capable
of setting it properly.  The HELO, on the other hand, is also required
by rfc2821 and completely under their control.)

DSNs to unsigned recipients are rejected (we sign all outgoing mail with SRS).
We use some heuristics to treat mail from, e.g.,  postmaster as a DSN
because of all the RFC ignorant MTAs out there.

If we haven't passed or rejected yet, we check a local policy database
(sendmail access file) with rules like 

Spf-Neutral:example.com      OK

which says to accept anonymous mail claiming to be from example.com,
presumably because example.com is an important client, despite being
clueless about email, and we haven't been badly bitten by forgeries yet.

Email to honeypot mailboxes is used to train a bayesian content filter.
(As is whitelisted incoming mail with SPF pass.)

The content filter quarantines statistically spammy messages.

At this point, we do CBV, or send a DSN (explaining permerrors,
invalid HELO, quarantined mail, etc) to verify the sender.  If this fails, the
sender is blacklisted, and is immediately rejected from this point on.

Anonymous or never before seen mail that doesn't look spammy to the
content filter is delivered.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735