> > You are for sure aware that neither SPF nor DKIM are able or designed to > fight Spam.
I know that a lot of people are stressing this. But it is not my opinion nor experience (see below). > In fact more than half of the Spam reaching our inboxes are valid according > DKIM/SPF so we even might reduce spam by rejecting DKIM/SPF signed mail. In our case, we have cut down SPAM by approximately 90% alone by doing SPF and DKIM checks with incoming messages. For example, my own corporate mailbox approximately got over 200 SPAM messages per day before rejecting messages without DKIM or SPF, and now I am getting somewhere between 10 and 30. That's what I meant by "extremely effective in our case". > DKIM/SPF does only include that the sending server is mandated by DNS to send > mail for the given domain and this is easily done with all modern spammer > tools. Well, most spammer tools might do this. But the spammer then first has to get a domain and then has to set up the DNS entries, which obviously is too complicated for most spammers. Furthermore, I am constantly seeing messages trying to get into the server which originate from dynamic IP addresses. The majority of spam messages seems still to be sent directly (i.e. without passing a "smarthost") to our receiving MTA by PCs which have been infected with a trojan horse; it seems that the sending MTA more often than not is part of this trojan and thus sends the messages from a dynamic IP address. I am convinced that it is impossible for a spammer to continuously update his SPF entries for all devices he has under control with the dynamic IP addresses of these devices. [N.B. Of course, we are rejecting messages event if they pass SPF, but the SPF entry has something like +all or ~all in it.] Now to the most important part of SPF and DKIM (I am stressing this because I am convinced that many people really believe that you can't fight SPAM with SPF or DKIM): As you correctly have stated, if a message passes the SPF or DKIM test, it can be taken for sure that the *owner* (or some person which has been authorized by the owner) of the (pretended) sender's domain actually has authorized that message (at least indirectly). In other words, if a message which passes the SPF or DKIM test contains SPAM, the owner of the (pretended) sender's domain either has allowed somebody to use the domain for sending spam, or he obviously is not in control of his staff or his mail or DNS server. In either case, you could (and should) blacklist this sender domain. This is the key aspect: Without SPF and DKIM, you can *not* blacklist a sender domain after receiving SPAM from that domain, because you could be sure that the sender domain has been faked by the spammer, and if you would have blacklisted it, you would not get legitimate emails from there any more (imagine the spammer had used someb...@ibm.com as sender's address). But with SPF or DKIM, you can immediately blacklist any sender domain after having received SPAM from that domain. You now know *for sure* that the spammer did not abuse / fake the sender's address (letting apart such things like a hacked mail relay etc.), but that the domain owner has authorized the SPAM, thus you are sure that you do not want to get any more messages from that domain. Combine SPF / DKIM with domain blacklisting, and then you *have* an efficient spam fighting tool. Regards, Binarus ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
