Hi there,
On Sat, 21 Nov 2009, Thomas Harold wrote:
What is the current thinking on rejecting at the SMTP transaction if you
encounter an SPF fail? Are there a lot of false positives?
This implies an accepted meaning for the expression "false positive"
and I'm not sure that there is one. Spammers are as easily able to
set up DNS records as anyone else. Sometimes it seems that spammers
are implementing SPF faster than anyone else, and at one time people
were (only half-jokingly:) suggesting that mail should be rejected on
SPF pass! But that misses the point. The question is one of forgery.
In my book nobody has any business forging anything, so when I get an
SPF fail I reject, usually without even asking for the DATA. If I do
ask for the data it's probably to send it to a honey trap, or abuse(_at_)(_dot_)
If I get a softfail I take a view. Usually a dim one.
Does this help a lot in fighting spam? Well it does, but very little.
So far this month out of about half a million attempts to send spam to
the dozen or so domains for which I handle mail, two were rejected on
SPF failure. Typical numbers, but bear in mind that the vast majority
of attempts didn't even get as far as the SPF check so it isn't as bad
as those numbers might suggest.
To put it another way:
If any given domain publishes SPF records, then this month all the
attempts to send mail forged to appear to be from that domain were
rejected. And the previous month. And the one before that, and...
Sounds better that way. :)
100% of two forgery attemps still might not sound great, but there's
another little-mentioned benefit. My servers suffered no DOS attacks
from _legitimate_ mailservers which (a) were the recipients of botnet
generated mail forged to appear to be from one or more of the domains
I manage and (b) have implemented SPF checking. Admittedly I have but
a vague idea of how many attacks that might be, but I did experience a
couple two or three years back and that was hell. Mail volumes rose
by more than an order of magnitude in a few minutes, and stayed that
way for weeks. The first attack brought a server down for a few days.
The second one didn't. One reason that I don't have any real numbers
for this important metric is that if the legitimate servers see mail
forged to come from my domains, and if they also check my SPF records,
then I don't see any traffic except mail to my own abuse@ addresses -
and I can't remember the last time I saw any. Which is a Good Thing.
So your question will probably boil down to "how much do I trust the
domain's DNS records?". Leaving aside misconfigured records, my view
is that you have no choice but to trust them, just as you must trust
them when you ask for the A or MX records. That's how things are.
I'm trying to decide whether to to remove the "warn_on_reject" in
Postfix's main.cf to go ahead and return a 550 5.7.1 error code.
I'm slightly to the right of Attila the Hun on mail rejection, so as
a non-representative sample I'll leave others to help you with that.
--
73,
Ged.
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/
[http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com