spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [spf-discuss] Newcomer question - email admin perspective

2007-01-05 02:50:01
from [Seth Goodman] [Permanent Link] 
Stuart D. Gathman wrote on Thursday, January 04, 2007 5:25 PM -0600:


On Thu, 4 Jan 2007, Seth Goodman wrote:


I don't agree.  While HELO is a good spam indicator today, there's
no reason for it to remain that way.  If rDNS matches, you know
that the domain has paid for an IP that will quickly become useless
if they spam. The fact that DNSBL's have been successful and that
spammers now favor zombies is an indication that it will make their
lives much more difficult.


This seems to be the root of the problem.  This is the SPF list, where
we are trying to shift reputation from IP based to domain based.


SPF allows us to move from IP to domain reputation to some extent, but
everyone should understand that spammers can easily game this with a
bunch of zombies and throwaway domains.  If you don't think this is
practical, let's go over the details.  It's a real attack and we might
as well discuss it before it happens.

SPF is adequate by itself when the sending domain has some reputation,
which should be most of your mail.  That's the case it was designed for:
domains protecting the use of their domain names and spamming domains
getting the reputation they deserve.  The case I was trying to address
is when a sending IP/domain pair passes SPF yet the domain has no
reputation.  If it's a throwaway domain, the spammer expects the domain
reputation to become terrible, but only _after_ sending a lot of spam.
One reasonable approach is to severely rate limit such domains until
they develop a reputation at your MTA.  Unfortunately, you will also
severely rate limit legitimate mail from domains that are new to you.
You can probably skip this if rDNS matches forward DNS.



All the spam that makes it to content filtering in my system has
perfectly good rDNS.  (And typically sends from class C networks
to boot.)


By perfectly good rDNS do you mean matching forward DNS?



I do have a three strikes rule, requiring valid rDNS, valid HELO, or
valid SPF.  That way, a competent admin can always email me regardless
of whether their ISP can do rDNS properly.


That's good policy.  Note that they could still contact you if you rate
limit them.

--
Seth Goodman

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Re: libspf2 sample programs, Scott Kitterman
Next by Date:  Re: followup: Re: [spf-discuss] libspf2 sample programs, Peter Bowyer
Previous by Thread:  RE: [spf-discuss] Newcomer question - email admin perspective, Stuart D. Gathman
Next by Thread:  RE: [spf-discuss] Newcomer question - email admin perspective, Stuart D. Gathman
Indexes:  [Date] [Thread] [Top] [All Lists]