Re: initial analysis of SPF_PASS results

[Justin Mason]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Daniel Quinlan writes:
> First, large ISPs seem to be the origination point for a *lot* of spam.

Large ISPs' outbound relays, or direct from their dynamic pools?
e.g. blueyonder.co.uk list their dyn pools in their SPF record,
which is unfortunate but legal.

> Second, here's my list of the domains we could potentially whitelist for
> SPF_PASS results (high count, good ratio, not biased towards open source
> folks).
> 
> 0.0000  90      health.webmd.com
> 0.0000  27      foolsubs.com
> 0.0000  23      ms3.lga2.nytimes.com (list *.nytimes.com ?)
> 0.0000  17      match.com
> 0.0000  9       paypal.com

+1 -- I can go for that.

(Worth noting that I *don't* think we should also apply the converse,
treating mails from those doms that don't fix the SPF record as forged;
we'd need to do separate analysis on that.)

> For a different and even less biased approach, I took the listings with
> 0.01 or lower S/O ratio and ranked them by SenderBase volume (entries
> above 6.0 on the volume scale).  Note that I just extracted
> registrar-level domain names from the SPF domain lists, so some of these
> are definitely not completely clean or are not immediately
> whitelistable.
> 
> domain                  volume  whitelist?
> --------------------    ------  ----------
> ebay.com                7.5     yeah
> amazon.com              6.7     yeah
> speakeasy.net           6.6
> paypal.com              6.6     yeah
> msn.com                 6.6
> roving.com              6.5
> nytimes.com             6.5     yeah
> m0.net                  6.5
> classmates.com          6.5
> exacttarget.com         6.4
> sparklist.com           6.2
> sourceforge.net         6.1
> securityfocus.com       6.1
> spamarrest.com          6.0
> rm04.net                6.0
> redhat.com              6.0
> foolsubs.com            6.0     yeah
> bluehornet.com          6.0
> 
> So, based on all that, I'm thinking we could experimentally add SPF_PASS
> whitelists for:
> 
>   ebay.com
>   amazon.com
>   paypal.com
>   nytimes.com
>   foolsubs.com
>   webmd.com
>   match.com
> 
> I checked NANAE and the above domans seem to be pretty clean and this
> jives with my recollection.

+1.

- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFB4gLNMJF5cimLx9ARAn3CAKC7V80ycFkJrP+8bE3oP2T85VQ4NwCgi5t6
GdGMdM89ze4fvC/9l/uDdJ0=
=jXd3
-----END PGP SIGNATURE-----