Stuart D. Gathman wrote on Monday, January 29, 2007 12:04 PM -0600:
No, I found that the *domain* was legitimate and not forged. That is
all I'm claiming. The domain in your example was not forged, and
can safely be credited with spam demerits and blocked shortly
thereafter.
That misses the point, which is to reject mail from hosts that are not
legitimate. You can properly say that SPF is about domain forgery and
nothing more, and I will point out that if it results in accepting more
spam, recipients wont use it. If mail comes from an IP that isn't
controlled by the domain claiming responsibility, I don't want it
because it most likely is not legitimate. You can always whitelist
specific IP's that can't get PTR delegation. If you live in a place
where a lot of legitimate domains send mail from IP's that don't list
the domain in a PTR, then you shouldn't reject mail for lack of PTR
agreement. However, in many places, lack of PTR agreement has low
enough false positive rate to be a useful spam indicator. I can only
see this trend increasing.
The spammer in your example could also publish "v=spf1 +all" to get
an SPF pass for any IP.
They certainly can. This is another reason to question whether the
machine at the connect IP has a relationship with the sending domain.
People requiring rDNS or worrying about spammers publishing "v=spf1
+all" are apparently focused on IP reputation rather than domain
reputation. The whole point of the SPF project is to enable domain
reputation.
I completely agree. At the same time, domain reputation is an
additional tool, not a replacement for IP reputation. As most spam now
seems to come from trojaned hosts, and domains are cheap enough to be
disposable, relying on domain reputation only makes you process a lot of
messages from new domains through content filters before blacklisting
them. For this spam vector, which is still increasing, you are much
better off checking for PTR agreement and rejecting before data.
Verifying the sending domain is valuable, but in an environment where
trojaned hosts are the preferred spam senders, you need to ask whether a
domain actually controls the IP's they list.
--
Seth Goodman
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735