On Tue, 26 Mar 2013 23:14:15 -0700 (PDT) [email protected] wrote: > 1) When a spammer uses SPF, recipients KNOW the spammer domains and > servers and automatically block them.
Eventually. But when spammers register domains and throw them away after a few hours' use, it can be difficult to keep up. > Such is most effective with a shared reporting namespace of spammers > (like spamhaus or spamcop). Unless they're registering domains with > stolen credit cards, burning alot of domains like that is going to > get expensive, even with the cheapest registration services. Spam gangs sell spam software and time on botnets to suckers. If you're charging someone a few hundred bucks to do a spam run, adding $6 for domain name registration doesn't significantly affect the economics. > 2) Spammers seem to be avoiding spoofing domains that have proper > SPF records set up, That's not my feeling. Taking a look at a couple of hours' worth of data from one of our scanners, we see: SPF Pass: ========= 18531 accepted as ham 14622 considered spam so the correlation between SPF "pass" and non-spam is very mild indeed. SPF Softfail: ============= 1243 accepted as ham 1343 considered spam Again quite mild correlation. SPF Fail: ========= 68 accepted as ham 553 considered spam Better correlation, but still a significant FP rate if we outright rejected SPF Fail mail. Furthermore, if we look at some of the SPF Fails, we see things like this (obfuscated to protect the guilty): 2013-03-27T08:30:48.487010-04:00 colo4 CanIt[22686]: r2RCUlQB029099: what=accepted, [email protected], realm=example-com, country_code=NL, linktype=Ethernet or modem, nrcpts=1, os=Linux, osver=2.6.x, prob=0.0001, relay=x.y.z.a, score=4.9, [email protected], tests=T_RP_MATCHES_RCVD:-0.01;SPF(fail:5);DKIM(none:0);RBL(rp-good:-0.1), subject=Scheduled Task Endpoint Security Scan - Completed That's from a network monitoring system that sends (by default) from the domain of the system manufacturer. Since most people don't bother changing defaults, millions of these alert mails go out every day and fail SPF. Welcome to the IT industry... a giant pile of fail. Regards, David. _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
