Ok, i see now. Not too long ago, spf was identifying spam based on the SPFPass.
They were spoofing their from. Now, I am seeing more commercial spam coming
from bots with a from domain using a +all spf.
I still use SPFPass to disqualify some other spam checks. Server checks the
From address to be sure it exists on the server. If it doesn't exist, it's
either spoofed or it is a sender without a reply email (a web app - a forum)
More and more forums have installed spf records. So I can use the SPFPass to
disqualify the non-existant From check.
If Header contains X-VALFROM AND Header does not contain X-SPFPass Then mark as
spam.
I am now doing some log statistics on all +all records found. All of the MAIL
FROM domains look like commercial spam domains. I am testing the addition of
these MAIL FROM domains to my server's kill list.
All of these had +all spf records.
@24zoom.de
@beted.com
@brokenframes.net
@chathasen.de
@domain136.com
@euroservis.de
@fayar.net
@from-japan.net
@gambo-ad.com
@iait.de
@japan-bio.com
@justice.gc.ca
@karldewazien.com
@k-seek.com
@leftbank.uk.com
@mccormick.ie
@nema.de
@racesimulations.com
@yopboy.com
@zcard.com
mg(_at_)knology(_dot_)net
@johangronborg.com
@fordasc.com
@donofrocarroll.com
@egyptmotorsport.com
@greatestcleveland.com
@karenscustomjewelry.com
@atdatarecovery.com
@condfederateyankee.com
@worldandimag.com
@muziekschoolheemskerk.com
@tagagiant.com
@usaevoter.com
@applyonjohn.com
@capecoralrehab.com
@diversityrecordsltd.com
@emagineatlanta.com
@faroutclassics.com
@josiebailbond.com
@krattan.com
@maecontract.com
@micamcmullen.com
@militarycomm.com
@powaymufflerbrake.com
@regeur.com
@romayaesf.com
@skshbuffer.com
@theridenourco.com
@yihaifeed.com
--troy
---------- Original Message ----------------------------------
From: "Peter Bowyer" <peter(_at_)bowyer(_dot_)org>
Reply-To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Date: Thu, 6 Sep 2007 09:15:51 +0100
On 06/09/07, Troy Fuqua <troy(_at_)visiblepulse(_dot_)com> wrote:
The spammers are registering mail domains and setting +all SPF records.
Then the bots can push the spam through.
oh noes.
why was +all allowed to be in there?
So you can be sure that the mail you're receiving is authorised by the
domain that's sending it. Same as all the other mechanisms.
The question you should be asking is why you trust mail that is
authorised by bigspammer.com. The simple fact of an SPF PASS is only
really useful when used in conjunction with a reputation system based
on domain (check out www.karmasphere.com for one such), or simply on
whether you want to receive the mail (a local whitelist).
--
Peter Bowyer
Email: peter(_at_)bowyer(_dot_)org
-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com
-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com