Re: [Declude.JunkMail] SPF vs. Form Mail
I think whitelisting E-mail based on an SPF PASS probably isn't a wise idea, but I'm sure that spammers that do use SPF will be much easier to catch (they are providing a list of IPs that they may be spamming from G). If I was a spammer, I would use this to my advantage. These guys collect 2,000 IP's at a time, and move around their blocks in order to avoid being perma-listed in the RBL's already, and turning on and off some SPF listings can't be that much more difficult. But, they then have to register domains to publish the SPF records with. That leaves a new area for exploration -- finding the registrars they are using, checking WHOIS information, NS records, etc. If SPF E-mail was being whitelisted, it would be very useful for the spammer. But if it subtracts 10 points from the weight of the E-mail, it isn't going to be enough to make it worth the while for spammers to do this. Normally, it uses the return address of the E-mail (MAILFROM, from the X-Declude-Sender: header). However, if there is a NULL return address, or the address isn't valid (postmaster, for example), then the domain in the HELO/EHLO will be used. I'm not sure if this is in the RFC, but it would be a lot more accurate if you could compare the HELO to the SPF data. Some scripts to also falsify the HELO, but no where near the number of forged domains in MAILFROM. The original design for SPF allowed for that, but the current one does not. I'm not sure why that was changed. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPF vs. Form Mail
R. Scott Perry wrote: I'm not sure if this is in the RFC, but it would be a lot more accurate if you could compare the HELO to the SPF data. Some scripts to also falsify the HELO, but no where near the number of forged domains in MAILFROM. The original design for SPF allowed for that, but the current one does not. I'm not sure why that was changed. This is kind of a response to all the follow ups this morning. I can't afford to use this test on the majority of my domains because I can't currently make use of WHITELIST AUTH, and I have enough customers that use third-party outgoing mail servers for one reason or another that this would cause issues there as well. I was already debating what to do with a spamdomains variant that was coded for local domains, and I was only scoring that at 20% of my fail weight. I could remove that test and replace it with SPF scored at 20%, however the effects of the SPF would carry over to other sources that would potentially have problems and over which I would have no control over. There is some potential with this as a negative weight test, however once the spammers catch on, the value would be diminished greatly, and of course legit mail servers are sources of spam, just not as often as the illegitimate ones, and I don't see the need to credit senders based only on the fact that they matched their SPF records. IPNOTINMX already does most of this as a dumb test, and I only give that 1 point of credit anyway. Considering these issues, I don't see why I should push something forward with such a flaw. I would however reevaluate the idea if it was modified to work on HELO instead of MAILFROM, though that would require some monitoring as there are always unexpected results. I hope that this can become a tool, and I'm all for the idea of supporting innovation by adding my own records to the mix, but I'm not convinced that this will help in it's current format. I don't believe you can verify the sender any more reliably than we already are with SMTP, and efforts should instead be focused on verifying the server. I'm very sorry to have not liked either this effort or the Web-O-Trust thing, and I don't want to sound like I'm just being critical for the sake of it (though sometimes I am overly critical), but I feel that it is constructive for me to say this if for no other reason than to warn others about the potential of issues, but hopefully rather to influence the process for the better. I'm sure there are others around here that feel the same way, but choose not to voice their opinions out of fear of insulting someone else...or maybe I'm just whacked :) Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPF vs. Form Mail
This is kind of a response to all the follow ups this morning. I can't afford to use this test on the majority of my domains because I can't currently make use of WHITELIST AUTH, and I have enough customers that use third-party outgoing mail servers for one reason or another that this would cause issues there as well. It seems that a lot of people don't really understand the full power of SPF. Most people assume it is pass/fail, but it is actuall pass/fail/unknown. What this means is that you can set up an SPF record that instead of saying E-mail from @example.com that comes from 192.0.2.25 is definitely legitimate, but everything else is bogus (v=spf1 +ip4:192.0.2.25 -all), you can say E-mail from @example.com that comes from 192.0.2.25 is definitely legitimate, but any E-mail from @example.com from other IPs may or may not be bogus (v=spf1 +ip4:192.0.2.25 ?all). This is *guaranteed* to give you better results than no SPF record, even if many of your users do not send mail directly through your mailserver. I was already debating what to do with a spamdomains variant that was coded for local domains, and I was only scoring that at 20% of my fail weight. I could remove that test and replace it with SPF scored at 20%, however the effects of the SPF would carry over to other sources that would potentially have problems and over which I would have no control over. But that's exactly the point -- you have no control over it! If we set up declude.com as v=spf1 +mx -all, and I send an E-mail from another IP and it gets caught on your server, that is *my* fault (or the fault of whoever authorized the SPF record for declude.com). In this case, if one of your users says But my friend with a competing ISP can get mail from Scott!, you can tell him But, the company Scott works for does not allow mail to be sent except from their servers. Often, you get stuck telling a customer That company has serious problems (open relay, no reverse DNS, etc.). But with SPF, it is company policy, which you are honoring. There is some potential with this as a negative weight test, however once the spammers catch on, the value would be diminished greatly, and of course legit mail servers are sources of spam, just not as often as the illegitimate ones, and I don't see the need to credit senders based only on the fact that they matched their SPF records. ... Considering these issues, I don't see why I should push something forward with such a flaw. This might be best discussed on the SPF mailing list, where the creator of SPF and others can better comment on how SPF will deal with this. Only time will tell if spammers will be able to successfully abuse SPF, but at the very least it will give them more work to do, costing them more money. I'm very sorry to have not liked either this effort or the Web-O-Trust thing, and I don't want to sound like I'm just being critical for the sake of it (though sometimes I am overly critical), but I feel that it is constructive for me to say this if for no other reason than to warn others about the potential of issues, but hopefully rather to influence the process for the better. I'm sure there are others around here that feel the same way, but choose not to voice their opinions out of fear of insulting someone else...or maybe I'm just whacked :) That's fine -- if there are flaws with an idea and nobody comes out and says it, everybody loses. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF vs. Form Mail
Scott, I just wanted to post and let you know that I started a website www.adminforums.com and have added a Declude and Imail section, so that this community can post their configurations without wasting list bandwidth. I for one am interested in seeing what is working for people. I would really like to see some of the test configurations that Declude runs itself...hint ...hint -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, December 19, 2003 9:16 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPF vs. Form Mail This is kind of a response to all the follow ups this morning. I can't afford to use this test on the majority of my domains because I can't currently make use of WHITELIST AUTH, and I have enough customers that use third-party outgoing mail servers for one reason or another that this would cause issues there as well. It seems that a lot of people don't really understand the full power of SPF. Most people assume it is pass/fail, but it is actuall pass/fail/unknown. What this means is that you can set up an SPF record that instead of saying E-mail from @example.com that comes from 192.0.2.25 is definitely legitimate, but everything else is bogus (v=spf1 +ip4:192.0.2.25 -all), you can say E-mail from @example.com that +comes from 192.0.2.25 is definitely legitimate, but any E-mail from @example.com from other IPs may or may not be bogus (v=spf1 +ip4:192.0.2.25 ?all). This is *guaranteed* to give you better results than no SPF record, even if many of your users do not send mail directly through your mailserver. I was already debating what to do with a spamdomains variant that was coded for local domains, and I was only scoring that at 20% of my fail weight. I could remove that test and replace it with SPF scored at 20%, however the effects of the SPF would carry over to other sources that would potentially have problems and over which I would have no control over. But that's exactly the point -- you have no control over it! If we set up declude.com as v=spf1 +mx -all, and I send an E-mail from another IP and it gets caught on your server, that is *my* fault (or the fault of whoever authorized the SPF record for declude.com). In this case, if one of your users says But my friend with a competing ISP can get mail from Scott!, you can tell him But, the company Scott works for does not allow mail to be sent except from their servers. Often, you get stuck telling a customer That company has serious problems (open relay, no reverse DNS, etc.). But with SPF, it is company policy, which you are honoring. There is some potential with this as a negative weight test, however once the spammers catch on, the value would be diminished greatly, and of course legit mail servers are sources of spam, just not as often as the illegitimate ones, and I don't see the need to credit senders based only on the fact that they matched their SPF records. ... Considering these issues, I don't see why I should push something forward with such a flaw. This might be best discussed on the SPF mailing list, where the creator of SPF and others can better comment on how SPF will deal with this. Only time will tell if spammers will be able to successfully abuse SPF, but at the very least it will give them more work to do, costing them more money. I'm very sorry to have not liked either this effort or the Web-O-Trust thing, and I don't want to sound like I'm just being critical for the sake of it (though sometimes I am overly critical), but I feel that it is constructive for me to say this if for no other reason than to warn others about the potential of issues, but hopefully rather to influence the process for the better. I'm sure there are others around here that feel the same way, but choose not to voice their opinions out of fear of insulting someone else...or maybe I'm just whacked :) That's fine -- if there are flaws with an idea and nobody comes out and says it, everybody loses. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPF vs. Form Mail
There is some potential with this as a negative weight test, however once
the spammers catch on, the value would be diminished greatly, and of
course legit mail servers are sources of spam, just not as often as the
illegitimate ones, and I don't see the need to credit senders based only
on the fact that they matched their SPF records. ... Considering these
issues, I don't see why I should push something forward with such a flaw.
One other thing that I forgot about here is that you can do some creative
things with SPF, such as:
v=spf1 +mx -exists:%{ir4}.bl.spamcop.net ?all
which would still give a PASS for users using your mailserver and an
UNKNOWN for your roaming users, but also would give a FAIL to people listed
in SPAMCOP. Another interesting technique someone is already using
something like is:
v=spf1 +mx -exists:%{ir4}.test.example.com +all
With this, the DNS server for test.example.com is running software that
allows this first X hits per day, and none after that. It could also have
extra logic, such as denying E-mail from certain return addresses (or
perhaps only allowing E-mail from addresses of users who may be on the road).
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF vs. Form Mail
Hi, I assume that Form Mail's are a big problem under SPF? If a web site (greeting card site) inserts the users email address as the from address, then it will fail SPF, correct? Or, if we host a web site for a client, the registrations or feedback form mailers email the input to the client using the from address of the web visitor (otherwise, clients tend to press the reply button and end up sending their acknowledgements to our mail server, rather than to the visitor). These emails will fail SPF, because the web visitors domain will not list our web server as a valid sender!? In other words, in real life, SPF is best use to subtract weight for PASS, rather than add (any substantial) weight for FAIL? It has to be treated like the SPAMDOMAINS test - except that the entries are maintained by the owner of each domain and thus are more likely to be accurate. But we can't reach block based on SPF failures without ignoring the reality of the www? Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: Andy Schmidt [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 05:20 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] SPF caught SPAM already Wow, With only a few hundred domains registered, what were the chances that it would already catch spam: 12/18/2003 16:32:17 Q1cd609ef0252d469 DSBL:5 SPAMCOP:7 NJABLDUL:4 SORBS-DUL:5 CBL:7 SPFFAIL:8 . Total weight = 36. 12/18/2003 16:32:17 Q1cd609ef0252d469 Bypassing whitelisting of E-mail with weight =20 (36) and at least 1 recipients (1). ... 12/18/2003 16:32:18 Q1cd609ef0252d469 Msg failed SPFFAIL (SPF returned FAIL for this E-mail.). Action=IGNORE. ... 12/18/2003 16:32:18 Q1cd609ef0252d469 Deleting spam from [EMAIL PROTECTED] to ... 12/18/2003 16:32:18 Q1cd609ef0252d469 Subject: =?iso-8859-1?b?QWRkIEluY2hlcyB3aXRoIHRoZSBwYXRjaA==?= Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPF vs. Form Mail
Andy, I'm with you on the idea being that this is much like SPAMDOMAINS, however, I don't think that I will be subtracting any points for E-mails that pass. I see spam coming through legit servers every day, and what's to stop a static spammer from adding these records to their own server? Nothing I assume, and that could present problems than it fixes if negatively weighted. I view this as a fail only test, and while I could probably score it at 80% comfortably while it is not in widespread use, I'm only going to weight it the same as my SPAMDOMAINS test which I believe is at 40% of my fail weight. I still have to read up on this some more and figure it all out, but am I correct that this matches the MAILFROM address and not something else like the the HELO? Matt Andy Schmidt wrote: Hi, I assume that Form Mail's are a big problem under SPF? If a web site (greeting card site) inserts the users email address as the from address, then it will fail SPF, correct? Or, if we host a web site for a client, the registrations or feedback form mailers email the input to the client using the from address of the web visitor (otherwise, clients tend to press the reply button and end up sending their acknowledgements to our mail server, rather than to the visitor). These emails will fail SPF, because the web visitors domain will not list our web server as a valid sender!? In other words, in real life, SPF is best use to subtract weight for PASS, rather than add (any substantial) weight for FAIL? It has to be treated like the SPAMDOMAINS test - except that the entries are maintained by the owner of each domain and thus are more likely to be accurate. But we can't reach block based on SPF failures without ignoring the reality of the www? Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: Andy Schmidt [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 05:20 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] SPF caught SPAM already Wow, With only a few hundred domains registered, what were the chances that it would already catch spam: 12/18/2003 16:32:17 Q1cd609ef0252d469 DSBL:5 SPAMCOP:7 NJABLDUL:4 SORBS-DUL:5 CBL:7 SPFFAIL:8 . Total weight = 36. 12/18/2003 16:32:17 Q1cd609ef0252d469 Bypassing whitelisting of E-mail with weight =20 (36) and at least 1 recipients (1). ... 12/18/2003 16:32:18 Q1cd609ef0252d469 Msg failed SPFFAIL (SPF returned FAIL for this E-mail.). Action=IGNORE. ... 12/18/2003 16:32:18 Q1cd609ef0252d469 Deleting spam from [EMAIL PROTECTED] to ... 12/18/2003 16:32:18 Q1cd609ef0252d469 Subject: =?iso-8859-1?b?QWRkIEluY2hlcyB3aXRoIHRoZSBwYXRjaA==?= Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF vs. Form Mail
When we create a form on a server we never send the form using the email address that the user entered. Toomany times the user enters the address incorrectly. We use a from address of the domain we are in and place what the user typed in the body of the message. This guarentees that we get all messages. greeting card sites can do the same thing but they do not. The can use an address in their own domain to send the email and add a header for the reply to address as the person who sent the message. They can also use the persons email address or name as the friendly name to display in the mail client Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andy Schmidt Sent: Thursday, December 18, 2003 2:29 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SPF vs. Form Mail Hi, I assume that Form Mail's are a big problem under SPF? If a web site (greeting card site) inserts the users email address as the from address, then it will fail SPF, correct? Or, if we host a web site for a client, the registrations or feedback form mailers email the input to the client using the from address of the web visitor (otherwise, clients tend to press the reply button and end up sending their acknowledgements to our mail server, rather than to the visitor). These emails will fail SPF, because the web visitors domain will not list our web server as a valid sender!? In other words, in real life, SPF is best use to subtract weight for PASS, rather than add (any substantial) weight for FAIL? It has to be treated like the SPAMDOMAINS test - except that the entries are maintained by the owner of each domain and thus are more likely to be accurate. But we can't reach block based on SPF failures without ignoring the reality of the www? Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: Andy Schmidt [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 05:20 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] SPF caught SPAM already Wow, With only a few hundred domains registered, what were the chances that it would already catch spam: 12/18/2003 16:32:17 Q1cd609ef0252d469 DSBL:5 SPAMCOP:7 NJABLDUL:4 SORBS-DUL:5 CBL:7 SPFFAIL:8 . Total weight = 36. 12/18/2003 16:32:17 Q1cd609ef0252d469 Bypassing whitelisting of E-mail with weight =20 (36) and at least 1 recipients (1). ... 12/18/2003 16:32:18 Q1cd609ef0252d469 Msg failed SPFFAIL (SPF returned FAIL for this E-mail.). Action=IGNORE. ... 12/18/2003 16:32:18 Q1cd609ef0252d469 Deleting spam from [EMAIL PROTECTED] to ... 12/18/2003 16:32:18 Q1cd609ef0252d469 Subject: =?iso-8859-1?b?QWRkIEluY2hlcyB3aXRoIHRoZSBwYXRjaA==?= Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF vs. Form Mail
Yes, I understand how it can be done - unfortunately, many form mailer scripts don't use the reply-to header and greeting card companies seem to use the from field. Bottom line - unless web sites are being changed, we cannot define -all, we have to define ?all since any of our users may be sending mail through a third party web site. Of course, ?all means that there will never be a FAIL - which is equivalent to giving no or little weight. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Thursday, December 18, 2003 06:18 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SPF vs. Form Mail When we create a form on a server we never send the form using the email address that the user entered. Toomany times the user enters the address incorrectly. We use a from address of the domain we are in and place what the user typed in the body of the message. This guarentees that we get all messages. greeting card sites can do the same thing but they do not. The can use an address in their own domain to send the email and add a header for the reply to address as the person who sent the message. They can also use the persons email address or name as the friendly name to display in the mail client Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andy Schmidt Sent: Thursday, December 18, 2003 2:29 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SPF vs. Form Mail Hi, I assume that Form Mail's are a big problem under SPF? If a web site (greeting card site) inserts the users email address as the from address, then it will fail SPF, correct? Or, if we host a web site for a client, the registrations or feedback form mailers email the input to the client using the from address of the web visitor (otherwise, clients tend to press the reply button and end up sending their acknowledgements to our mail server, rather than to the visitor). These emails will fail SPF, because the web visitors domain will not list our web server as a valid sender!? In other words, in real life, SPF is best use to subtract weight for PASS, rather than add (any substantial) weight for FAIL? It has to be treated like the SPAMDOMAINS test - except that the entries are maintained by the owner of each domain and thus are more likely to be accurate. But we can't reach block based on SPF failures without ignoring the reality of the www? Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: Andy Schmidt [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 05:20 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] SPF caught SPAM already Wow, With only a few hundred domains registered, what were the chances that it would already catch spam: 12/18/2003 16:32:17 Q1cd609ef0252d469 DSBL:5 SPAMCOP:7 NJABLDUL:4 SORBS-DUL:5 CBL:7 SPFFAIL:8 . Total weight = 36. 12/18/2003 16:32:17 Q1cd609ef0252d469 Bypassing whitelisting of E-mail with weight =20 (36) and at least 1 recipients (1). ... 12/18/2003 16:32:18 Q1cd609ef0252d469 Msg failed SPFFAIL (SPF returned FAIL for this E-mail.). Action=IGNORE. ... 12/18/2003 16:32:18 Q1cd609ef0252d469 Deleting spam from [EMAIL PROTECTED] to ... 12/18/2003 16:32:18 Q1cd609ef0252d469 Subject: =?iso-8859-1?b?QWRkIEluY2hlcyB3aXRoIHRoZSBwYXRjaA==?= Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPF vs. Form Mail
- Original Message - From: Matthew Bramble [EMAIL PROTECTED] I view this as a fail only test, and while I could probably score it at 80% comfortably while it is not in widespread use, I'm only going to weight it the same as my SPAMDOMAINS test which I believe is at 40% of my fail weight. This was my thought, as well. I have already found e-mail that I felt was spam that had valid SPF records. I am currently only using SPF as positive weight test, but am monitoring the logs to see if using it as a weight reduction test is also viable. I still have to read up on this some more and figure it all out, but am I correct that this matches the MAILFROM address and not something else like the the HELO? I believe it is the domain part of the original sender's e-mail address that is queried for its txt record. Scott, is this correct? However, it appears to use the list servers domain address if sent from a mailing list. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPF vs. Form Mail
This was my thought, as well. I have already found e-mail that I felt was spam that had valid SPF records. I'm curious about this one -- could you let me know the domain? I think whitelisting E-mail based on an SPF PASS probably isn't a wise idea, but I'm sure that spammers that do use SPF will be much easier to catch (they are providing a list of IPs that they may be spamming from G). I still have to read up on this some more and figure it all out, but am I correct that this matches the MAILFROM address and not something else like the the HELO? I believe it is the domain part of the original sender's e-mail address that is queried for its txt record. Scott, is this correct? However, it appears to use the list servers domain address if sent from a mailing list. Normally, it uses the return address of the E-mail (MAILFROM, from the X-Declude-Sender: header). However, if there is a NULL return address, or the address isn't valid (postmaster, for example), then the domain in the HELO/EHLO will be used. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF vs. Form Mail
Agreed but with any change some code needs to be modified to support new ways of processing data. As for the greeting card companies if SPF takes off they will wake up and change their delivery method. How else will they make their advertising buck? There will always be a time of adjustment where the configurations will have to be less restrictive. But if you notify all your accounts/programmers of the future tighting up of the policy the beenfit will be greater and the discomfort of change will be minimized. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andy Schmidt Sent: Thursday, December 18, 2003 3:28 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SPF vs. Form Mail Yes, I understand how it can be done - unfortunately, many form mailer scripts don't use the reply-to header and greeting card companies seem to use the from field. Bottom line - unless web sites are being changed, we cannot define -all, we have to define ?all since any of our users may be sending mail through a third party web site. Of course, ?all means that there will never be a FAIL - which is equivalent to giving no or little weight. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Thursday, December 18, 2003 06:18 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SPF vs. Form Mail When we create a form on a server we never send the form using the email address that the user entered. Toomany times the user enters the address incorrectly. We use a from address of the domain we are in and place what the user typed in the body of the message. This guarentees that we get all messages. greeting card sites can do the same thing but they do not. The can use an address in their own domain to send the email and add a header for the reply to address as the person who sent the message. They can also use the persons email address or name as the friendly name to display in the mail client Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andy Schmidt Sent: Thursday, December 18, 2003 2:29 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SPF vs. Form Mail Hi, I assume that Form Mail's are a big problem under SPF? If a web site (greeting card site) inserts the users email address as the from address, then it will fail SPF, correct? Or, if we host a web site for a client, the registrations or feedback form mailers email the input to the client using the from address of the web visitor (otherwise, clients tend to press the reply button and end up sending their acknowledgements to our mail server, rather than to the visitor). These emails will fail SPF, because the web visitors domain will not list our web server as a valid sender!? In other words, in real life, SPF is best use to subtract weight for PASS, rather than add (any substantial) weight for FAIL? It has to be treated like the SPAMDOMAINS test - except that the entries are maintained by the owner of each domain and thus are more likely to be accurate. But we can't reach block based on SPF failures without ignoring the reality of the www? Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: Andy Schmidt [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 05:20 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] SPF caught SPAM already Wow, With only a few hundred domains registered, what were the chances that it would already catch spam: 12/18/2003 16:32:17 Q1cd609ef0252d469 DSBL:5 SPAMCOP:7 NJABLDUL:4 SORBS-DUL:5 CBL:7 SPFFAIL:8 . Total weight = 36. 12/18/2003 16:32:17 Q1cd609ef0252d469 Bypassing whitelisting of E-mail with weight =20 (36) and at least 1 recipients (1). ... 12/18/2003 16:32:18 Q1cd609ef0252d469 Msg failed SPFFAIL (SPF returned FAIL for this E-mail.). Action=IGNORE. ... 12/18/2003 16:32:18 Q1cd609ef0252d469 Deleting spam from [EMAIL PROTECTED] to ... 12/18/2003 16:32:18 Q1cd609ef0252d469 Subject: =?iso-8859-1?b?QWRkIEluY2hlcyB3aXRoIHRoZSBwYXRjaA==?= Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com
RE: [Declude.JunkMail] SPF vs. Form Mail
As for the greeting card companies if SPF takes off they will wake up and change their delivery method. How else will they make their advertising buck? Actually, the greeting card companies *should* already be doing this. The return address is used for bounce messages. If they are using the supposed E-mail address of the web site visitor, any bounces will go to the innocent victim whose E-mail address has been used. So they should use their own domain name in the return address. If this is the case, they automatically get an UNKNOWN instead of a FAIL (or a PASS if they add their own SPF record). Meanwhile, if they keep the supposed address of the web site visitor in the From:/Sender:/Reply-To: headers, the recipient probably won't know the difference, and replies will be sent to the person who requested that the greeting card be sent. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPF vs. Form Mail
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] This was my thought, as well. I have already found e-mail that I felt was spam that had valid SPF records. I'm curious about this one -- could you let me know the domain? I was a little hasty in my statement above. When I went to retrieve the domain for you, I checked on the site and did a closer review of the messages and found that they were e-mails from a legitimate opt-in list. However, I will keep track and report any questionable findings. I think whitelisting E-mail based on an SPF PASS probably isn't a wise idea, but I'm sure that spammers that do use SPF will be much easier to catch (they are providing a list of IPs that they may be spamming from G). Yes, this is a good thing, indeed! I believe it is the domain part of the original sender's e-mail address that is queried for its txt record. Scott, is this correct? However, it appears to use the list servers domain address if sent from a mailing list. Normally, it uses the return address of the E-mail (MAILFROM, from the X-Declude-Sender: header). However, if there is a NULL return address, or the address isn't valid (postmaster, for example), then the domain in the HELO/EHLO will be used. Thanks for the clarification. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPF vs. Form Mail
R. Scott Perry wrote: I think whitelisting E-mail based on an SPF PASS probably isn't a wise idea, but I'm sure that spammers that do use SPF will be much easier to catch (they are providing a list of IPs that they may be spamming from G). If I was a spammer, I would use this to my advantage. These guys collect 2,000 IP's at a time, and move around their blocks in order to avoid being perma-listed in the RBL's already, and turning on and off some SPF listings can't be that much more difficult. Besides that, even legit servers pass spam. Forwarding is problematic for this test, and then there's the fact that very small-time spammers will use their ISP to send out their garbage. The very small-time spammers are the most likely to get through my server, but thankfully the volume is low. If SPF becomes popular, crediting points for passing the test will become a big no-no. Maybe this isn't something that you will want to support long-term? Normally, it uses the return address of the E-mail (MAILFROM, from the X-Declude-Sender: header). However, if there is a NULL return address, or the address isn't valid (postmaster, for example), then the domain in the HELO/EHLO will be used. I'm not sure if this is in the RFC, but it would be a lot more accurate if you could compare the HELO to the SPF data. Some scripts to also falsify the HELO, but no where near the number of forged domains in MAILFROM. Maybe a separate test possibility? Or even a replacement? I do like this whole idea a lot better than Web-O-Trust though. My only concern about the viability of this test is how responsible administrators will be in covering their scripts as well as their mail server. I suspect that human nature will show its face and mitigate the usefulness to some extent. The fact that this appears hard to understand at first glance (to me at least) tells me that it's likely to be screwed up. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
