Re: Should we use DKIM and SPF?
On Thu, May 01, 2014 at 03:59:10AM +0200, Martin Braun wrote: IMHO spam should be dealt with only on the client, not on the server. It is not the task of the server to determine what is spam and what is not. I know everyone does it, I used to do it too, but it is wrong. Server filtering saves bandwidth in a lot of places, especially if done during early in the message path. I am not sure what you mean by client, if MDA or MUA, but if you mean MUA, server-side filtering also saves some storage space on the IMAP/POP server. -- -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Should we use DKIM and SPF?
IMHO spam should be dealt with only on the client, not on the server. It is not the task of the server to determine what is spam and what is not. I know everyone does it, I used to do it too, but it is wrong. 2014-04-26 16:26 GMT+02:00 Stéphane Guedon steph...@22decembre.eu: Le samedi 26 avril 2014 07:20:19, vous avez écrit : Hi John, At 06:04 26-04-2014, John Cox wrote: Unfortunately the whole point of SPF (unlike Sender-ID which works much better and on much the same principles) is that you can reject the message before receiving it so you wouldn't have the DKIM stuff (which I think requires you to have the entire message?). SPF allows processing using envelope information. DKIM processing can only occur after the entire message has been received. Regards, -sm I am myself in need for a good antispam solution with opensmtpd. if dkim (which I don't use yet) and spf are not really working, what's the good way (I am already using spamd, not enough !) -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Should we use DKIM and SPF?
On 2014-05-01 03:59, Martin Braun wrote: IMHO spam should be dealt with only on the client, not on the server. It is not the task of the server to determine what is spam and what is not. I know everyone does it, I used to do it too, but it is wrong. What if I have multiple clients? Eg: desktop, laptop, work laptop, mobile phone. I'd need to run daemonsn on all of those machines, and need to find mechanisms to keep the spam rules sycned. I also don't know of any anti-spam filters for my mobile phone. In theory, what you suggest is a great idea. But it's not as simple as it sounds. 2014-04-26 16:26 GMT+02:00 Stéphane Guedon steph...@22decembre.eu: Le samedi 26 avril 2014 07:20:19, vous avez écrit : Hi John, At 06:04 26-04-2014, John Cox wrote: Unfortunately the whole point of SPF (unlike Sender-ID which works much better and on much the same principles) is that you can reject the message before receiving it so you wouldn't have the DKIM stuff (which I think requires you to have the entire message?). SPF allows processing using envelope information. DKIM processing can only occur after the entire message has been received. Regards, -sm I am myself in need for a good antispam solution with opensmtpd. if dkim (which I don't use yet) and spf are not really working, what's the good way (I am already using spamd, not enough !) -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org -- Hugo Osvaldo Barrera A: No, it doesn't make sense. Q: Should I include quotations *after* my reply? pgpoQ4TFin_o4.pgp Description: PGP signature
Re: Should we use DKIM and SPF?
In theroy that idea isnt even that great, and in practice a hygene server is a better place to do the most course obvious spam. There is stuff that is very obviously not wanted such as items coming from rouge servers that we can prove thanks to SPF or Sender-ID being setup correctly. There is no reason that a server that can verify that another server has no right to send should pass on a potentially risky email to the user, it is actually very irresponsible to do so especially since you are going to treat a user that may have no clue about email headers as an idiot because they clicked on a message that if you had a script take two milliseconds to look at could have told you it was spam. Not everyone is a computer scientist, and stuff that is obvious should be dealt with long before your users have to deal with it manually. On Wed, Apr 30, 2014 at 6:59 PM, Martin Braun yellowgoldm...@gmail.comwrote: IMHO spam should be dealt with only on the client, not on the server. It is not the task of the server to determine what is spam and what is not. I know everyone does it, I used to do it too, but it is wrong. 2014-04-26 16:26 GMT+02:00 Stéphane Guedon steph...@22decembre.eu: Le samedi 26 avril 2014 07:20:19, vous avez écrit : Hi John, At 06:04 26-04-2014, John Cox wrote: Unfortunately the whole point of SPF (unlike Sender-ID which works much better and on much the same principles) is that you can reject the message before receiving it so you wouldn't have the DKIM stuff (which I think requires you to have the entire message?). SPF allows processing using envelope information. DKIM processing can only occur after the entire message has been received. Regards, -sm I am myself in need for a good antispam solution with opensmtpd. if dkim (which I don't use yet) and spf are not really working, what's the good way (I am already using spamd, not enough !) -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org -- Jason Barbier | jab...@serversave.us Pro Patria Vigilans
Re: Should we use DKIM and SPF?
I agree, it's not simple, but none the less it is true. However I wouldn't waste time on reading or answering mail on my phone. If you receive really important email, and you need to answer such on the phone, you need to use a unique email just for such clients - making sure no spam reaches you at all. For all other clients Bogofilter works really well and fast on most and you generally don't need to worry about keeping filters in sync. Once bogofilter has learned about a few spam mails it runs like a dream on any client. Compared to say Spamassassin/spamd Bogofilter is at least ten times as fast, much better at recognizing spam, and it can be run on old or weak hardware without problems. 2014-05-01 5:37 GMT+02:00 Hugo Osvaldo Barrera h...@barrera.io: On 2014-05-01 03:59, Martin Braun wrote: IMHO spam should be dealt with only on the client, not on the server. It is not the task of the server to determine what is spam and what is not. I know everyone does it, I used to do it too, but it is wrong. What if I have multiple clients? Eg: desktop, laptop, work laptop, mobile phone. I'd need to run daemonsn on all of those machines, and need to find mechanisms to keep the spam rules sycned. I also don't know of any anti-spam filters for my mobile phone. In theory, what you suggest is a great idea. But it's not as simple as it sounds. 2014-04-26 16:26 GMT+02:00 Stéphane Guedon steph...@22decembre.eu: Le samedi 26 avril 2014 07:20:19, vous avez écrit : Hi John, At 06:04 26-04-2014, John Cox wrote: Unfortunately the whole point of SPF (unlike Sender-ID which works much better and on much the same principles) is that you can reject the message before receiving it so you wouldn't have the DKIM stuff (which I think requires you to have the entire message?). SPF allows processing using envelope information. DKIM processing can only occur after the entire message has been received. Regards, -sm I am myself in need for a good antispam solution with opensmtpd. if dkim (which I don't use yet) and spf are not really working, what's the good way (I am already using spamd, not enough !) -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org -- Hugo Osvaldo Barrera A: No, it doesn't make sense. Q: Should I include quotations *after* my reply? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Should we use DKIM and SPF?
forgot the list sorry, you can very easily tell what should or should not be flagged for review with the most granular rules, anything with virus attachments should NEVER get to the user, period, ever. Id rather have 100 false positives for viruses than my network get turned into a zombie because I threw my users to the wolves. Also as best practices state, you never discard messages because you flagged them as spam unless you have a valid high confidence threat on them such as a well known virus, you flag them and let the user determine what to do with said flagged mail, but virus spam should always be dealt with much sooner than on the users machine. If a payload has reached the user you are already too late to deal with it. On Wed, Apr 30, 2014 at 9:04 PM, Barbier, Jason jab...@serversave.uswrote: you can very easily tell what should or should not be flagged for review with the most granular rules, anything with virus attachments should NEVER get to the user, period, ever. Id rather have 100 false positives for viruses than my network get turned into a zombie because I threw my users to the wolves. Also as best practices state, you never discard messages because you flagged them as spam unless you have a valid high confidence threat on them such as a well known virus, you flag them and let the user determine what to do with said flagged mail, but virus spam should always be dealt with much sooner than on the users machine. If a payload has reached the user you are already too late to deal with it. -- Jason Barbier | jab...@serversave.us Pro Patria Vigilans
Re: Should we use DKIM and SPF?
you can very easily tell what should or should not be flagged for review with the most granular rules, anything with virus attachments should NEVER get to the user, period, ever. Id rather have 100 false positives for viruses than my network get turned into a zombie because I threw my users to the wolves. Wrong thinking. It is not your task to determine whats a valid email and whats not for users - period! You rather having 100 false positives doesn't make it right - on the contrary. Only the user can decide what is right and what is wrong email for him or her - period. Protecting the network from getting turned into a zombie, as you call it, has nothing to do with the above. And if you think, even in the least, that your network is protected because you screen email for viruses you're facing much more serious trouble and users should not use your network at all. Also as best practices state, you never discard messages because you flagged them as spam unless you have a valid high confidence threat on them such as a well known virus, you flag them and let the user determine what to do with said flagged mail, but virus spam should always be dealt with much sooner than on the users machine. If a payload has reached the user you are already too late to deal with it. \ Yeah.. that's the modern practice now a days alright, but that doesn't make it right. On Wed, Apr 30, 2014 at 8:58 PM, Martin Braun yellowgoldm...@gmail.com wrote: In theroy that idea isnt even that great, and in practice a hygene server is a better place to do the most course obvious spam. There is stuff that is very obviously not wanted such as items coming from rouge servers that we can prove thanks to SPF or Sender-ID being setup correctly. Validating that SPF or Sender-ID has been setup correctly - great when it works, not so much about fighting SPAM more about fighting bad admins. SPAM gets through still though. In many cases of SPAM it's the user account that has been cracked and the spammers are using full valid SPF and Sender-IDs, heck it's even signed with DKIM too. There is no reason that a server that can verify that another server has no right to send should pass on a potentially risky email to the user, it is actually very irresponsible to do so especially since you are going to treat a user that may have no clue about email headers as an idiot because they clicked on a message that if you had a script take two milliseconds to look at could have told you it was spam. Not everyone is a computer scientist, and stuff that is obvious should be dealt with long before your users have to deal with it manually. You're missing my point. You cannot determine what stuff should be dealt with on account of your users. Period. One single false positive is enough. On Wed, Apr 30, 2014 at 6:59 PM, Martin Braun yellowgoldm...@gmail.com wrote: IMHO spam should be dealt with only on the client, not on the server. It is not the task of the server to determine what is spam and what is not. I know everyone does it, I used to do it too, but it is wrong. 2014-04-26 16:26 GMT+02:00 Stéphane Guedon steph...@22decembre.eu: Le samedi 26 avril 2014 07:20:19, vous avez écrit : Hi John, At 06:04 26-04-2014, John Cox wrote: Unfortunately the whole point of SPF (unlike Sender-ID which works much better and on much the same principles) is that you can reject the message before receiving it so you wouldn't have the DKIM stuff (which I think requires you to have the entire message?). SPF allows processing using envelope information. DKIM processing can only occur after the entire message has been received. Regards, -sm I am myself in need for a good antispam solution with opensmtpd. if dkim (which I don't use yet) and spf are not really working, what's the good way (I am already using spamd, not enough !) -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org -- Jason Barbier | jab...@serversave.us Pro Patria Vigilans -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org -- Jason Barbier | jab...@serversave.us Pro Patria Vigilans -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Should we use DKIM and SPF?
On Fri, 25 Apr 2014 06:55:48 -0700, you wrote: On Thu, Apr 24, 2014 at 11:13 AM, Ashish SHUKLA ashish...@lostca.se wrote: On Sat, 19 Apr 2014 08:26:59 +0200, Martin Braun yellowgoldm...@gmail.com said: Hi I was thinking about adding DKIM and SPF to my OpenSMTPD setup as I have previously run with those, but I am in doubt. I am thinking about the worth of those technologies? I used to think SPF was a good idea, but SPF fails if someone forwards email to another server. Then the forwarding server is not listed in the SPF entry and the destination mail server will reject the email. SRS[1][2]. References: [1] http://www.openspf.org/SRS [2] http://www.libsrs2.org/ SPF itself is a decent idea this was just bound to happen since it makes the assumption that all valid mail from a domain only comes from servers that the domain knows about which may not necessarily be the case (see mailing lists) but this is one of the reasons to use both DKIM and SPF. generally if one passes it scores high enough to cancel out that the other failed. DKIM is supposed to prove that messages are authentic, not SPF. SPF is setup to prove that a sending server has the right to send on behalf of a domain. They really are meant to work hand in hand and solve different problems. So if you were using DKIM and SPF SRS would not be an issue since the DKIM info in the header proves the message came from a valid source. Unfortunately the whole point of SPF (unlike Sender-ID which works much better and on much the same principles) is that you can reject the message before receiving it so you wouldn't have the DKIM stuff (which I think requires you to have the entire message?). JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Should we use DKIM and SPF?
On 2014-04-26 Sat 14:04 PM |, John Cox wrote: Unfortunately the whole point of SPF (unlike Sender-ID which works much better and on much the same principles) is that you can reject the message before receiving it That's the idea, but it is often abused by dumb hostmasters (e.g: google) publishing their entire address space. Infected PCs in the sales office, employee WiFi zones, tape silos, routers, web servers, etc... are not valid mail exchangers, so SPF records of 'valid sending IP address' can't be trusted. SPF might be slightly helpful, but it is not reliable. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Should we use DKIM and SPF?
Hi John, At 06:04 26-04-2014, John Cox wrote: Unfortunately the whole point of SPF (unlike Sender-ID which works much better and on much the same principles) is that you can reject the message before receiving it so you wouldn't have the DKIM stuff (which I think requires you to have the entire message?). SPF allows processing using envelope information. DKIM processing can only occur after the entire message has been received. Regards, -sm -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Should we use DKIM and SPF?
Le samedi 26 avril 2014 07:20:19, vous avez écrit : Hi John, At 06:04 26-04-2014, John Cox wrote: Unfortunately the whole point of SPF (unlike Sender-ID which works much better and on much the same principles) is that you can reject the message before receiving it so you wouldn't have the DKIM stuff (which I think requires you to have the entire message?). SPF allows processing using envelope information. DKIM processing can only occur after the entire message has been received. Regards, -sm I am myself in need for a good antispam solution with opensmtpd. if dkim (which I don't use yet) and spf are not really working, what's the good way (I am already using spamd, not enough !) signature.asc Description: This is a digitally signed message part.
Re: Should we use DKIM and SPF?
Le samedi 26 avril 2014 07:51:42, vous avez écrit : you want to use SPF at the very least, but then back it with spampd or amavisd and run it though spamassassin that is pretty much a standard stack right there, I tried to set it up yesterday. Complete failed ! I would really like to have spamassassin cause it has a lot of features that may be useful : check FROM address in an address book check gpg sig obviously, I looked if spamd can look in a mail adress list. It can't ! Do you know some doc explaining how I can integrate spamassassin in opensmtpd ? On Sat, Apr 26, 2014 at 7:26 AM, Stéphane Guedon steph...@22decembre.euwrote: Le samedi 26 avril 2014 07:20:19, vous avez écrit : Hi John, At 06:04 26-04-2014, John Cox wrote: Unfortunately the whole point of SPF (unlike Sender-ID which works much better and on much the same principles) is that you can reject the message before receiving it so you wouldn't have the DKIM stuff (which I think requires you to have the entire message?). SPF allows processing using envelope information. DKIM processing can only occur after the entire message has been received. Regards, -sm I am myself in need for a good antispam solution with opensmtpd. if dkim (which I don't use yet) and spf are not really working, what's the good way (I am already using spamd, not enough !) signature.asc Description: This is a digitally signed message part.
Re: Should we use DKIM and SPF?
there isnt a single one, but you have to do it somthing similar to what gilles did for dkim dkim. so you chose somthing like in my case I use amavisd since I never got spampd to work reliably listening on port 2000 listen on lo port 2001 tag clean accept tagged clean for deliver to mbox accept for domain contoso.tld relay via smtp://127.0.0.1:2000 Im doing that part from memory but that is the essence of it, the first run of the message it kicks out to amavisd, which runs it through spamassassin then back into smtpd which tags it as clean which gets picked up by the rule that takes tagged messages and delivers them. On Sat, Apr 26, 2014 at 9:10 AM, Stéphane Guedon steph...@22decembre.euwrote: Le samedi 26 avril 2014 07:51:42, vous avez écrit : you want to use SPF at the very least, but then back it with spampd or amavisd and run it though spamassassin that is pretty much a standard stack right there, I tried to set it up yesterday. Complete failed ! I would really like to have spamassassin cause it has a lot of features that may be useful : check FROM address in an address book check gpg sig obviously, I looked if spamd can look in a mail adress list. It can't ! Do you know some doc explaining how I can integrate spamassassin in opensmtpd ? On Sat, Apr 26, 2014 at 7:26 AM, Stéphane Guedon steph...@22decembre.euwrote: Le samedi 26 avril 2014 07:20:19, vous avez écrit : Hi John, At 06:04 26-04-2014, John Cox wrote: Unfortunately the whole point of SPF (unlike Sender-ID which works much better and on much the same principles) is that you can reject the message before receiving it so you wouldn't have the DKIM stuff (which I think requires you to have the entire message?). SPF allows processing using envelope information. DKIM processing can only occur after the entire message has been received. Regards, -sm I am myself in need for a good antispam solution with opensmtpd. if dkim (which I don't use yet) and spf are not really working, what's the good way (I am already using spamd, not enough !) -- Jason Barbier | jab...@serversave.us Pro Patria Vigilans
Re: Should we use DKIM and SPF?
Hi On Sat, 19 Apr 2014 08:26:59 +0200, Martin Braun yellowgoldm...@gmail.com said: Hi I was thinking about adding DKIM and SPF to my OpenSMTPD setup as I have previously run with those, but I am in doubt. I am thinking about the worth of those technologies? I used to think SPF was a good idea, but SPF fails if someone forwards email to another server. Then the forwarding server is not listed in the SPF entry and the destination mail server will reject the email. SRS[1][2]. References: [1] http://www.openspf.org/SRS [2] http://www.libsrs2.org/ Yes that does provide a (horrid) workaround (the mail from field was never meant to carry trace info), but it relies on _other mtas_ using it and in my experience a fair quantity don't. It is annoying to have your mail bounce just because you have set up correct SPF records. JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Should we use DKIM and SPF?
On Thu, Apr 24, 2014 at 11:13 AM, Ashish SHUKLA ashish...@lostca.se wrote: On Sat, 19 Apr 2014 08:26:59 +0200, Martin Braun yellowgoldm...@gmail.com said: Hi I was thinking about adding DKIM and SPF to my OpenSMTPD setup as I have previously run with those, but I am in doubt. I am thinking about the worth of those technologies? I used to think SPF was a good idea, but SPF fails if someone forwards email to another server. Then the forwarding server is not listed in the SPF entry and the destination mail server will reject the email. SRS[1][2]. References: [1] http://www.openspf.org/SRS [2] http://www.libsrs2.org/ SPF itself is a decent idea this was just bound to happen since it makes the assumption that all valid mail from a domain only comes from servers that the domain knows about which may not necessarily be the case (see mailing lists) but this is one of the reasons to use both DKIM and SPF. generally if one passes it scores high enough to cancel out that the other failed. DKIM is supposed to prove that messages are authentic, not SPF. SPF is setup to prove that a sending server has the right to send on behalf of a domain. They really are meant to work hand in hand and solve different problems. So if you were using DKIM and SPF SRS would not be an issue since the DKIM info in the header proves the message came from a valid source. -- Jason Barbier | jab...@serversave.us Pro Patria Vigilans
Re: Should we use DKIM and SPF?
On Sat, 19 Apr 2014 08:26:59 +0200, Martin Braun yellowgoldm...@gmail.com said: Hi I was thinking about adding DKIM and SPF to my OpenSMTPD setup as I have previously run with those, but I am in doubt. I am thinking about the worth of those technologies? I used to think SPF was a good idea, but SPF fails if someone forwards email to another server. Then the forwarding server is not listed in the SPF entry and the destination mail server will reject the email. SRS[1][2]. References: [1] http://www.openspf.org/SRS [2] http://www.libsrs2.org/ HTH -- Ashish SHUKLA “The three most dangerous things in the world are a programmer with a soldering iron, a hardware type with a program patch and a user with an idea.” (The Wizardry Compiled by Rick Cook) Sent from my Emacs signature.asc Description: PGP signature
Re: Should we use DKIM and SPF?
Hi Martin, On 19 Apr 2014 08:26, Martin Braun wrote: And I don't know if DKIM signing is really necessary. From my experience, most reputable mail sources already use DKIM and SPF. By implementing these into your setup, your mail will gain some extra points so as to get past spam filters in strict setups. Then the forwarding server is not listed in the SPF entry and the destination mail server will reject the email. If you see yourself forwarding your mail through other hosts, it might be a good idea to include them into your allowed host rules. I only have SPF at the moment, but I don't filter incoming mail based on SPF rules (waiting for native filter for OpenSMTPD). The setup takes 10 minutes so, why not? Cheers. -- Enric Morales m...@enric.me -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Should we use DKIM and SPF?
On 2014-04-19 Sat 08:26 AM |, Martin Braun wrote: I was thinking about adding DKIM and SPF to my OpenSMTPD setup as I have previously run with those, but I am in doubt. I am thinking about the worth of those technologies? OK for sending, waste of time for receiving validation. SPF is grossly abused, and DKIM mail must be received before it can be inspected. Useless. See the section SPF found potentially useful and the 1st comment of: http://bsdly.blogspot.co.uk/2007/07/harvesting-noise-while-its-still-fresh.html OpenBSD's spamd + greyscanner rocks! These helpers work with spamd for bulk trap address loading: http://web.britvault.co.uk/products/abersnuik/ http://web.britvault.co.uk/products/spamdba/ I've vastly modified greyscanner to check DNS PTR records DNS RBLs. e.g: https://bitbucket.org/bonetruck/greyscanner/pull-request/5/ Nothing else is needed to filter incoming spam. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Should we use DKIM and SPF?
Le samedi 19 avril 2014, 11:29:52 Craig R. Skinner a écrit : On 2014-04-19 Sat 08:26 AM |, Martin Braun wrote: I was thinking about adding DKIM and SPF to my OpenSMTPD setup as I have previously run with those, but I am in doubt. I am thinking about the worth of those technologies? OK for sending, waste of time for receiving validation. SPF is grossly abused, and DKIM mail must be received before it can be inspected. Useless. See the section SPF found potentially useful and the 1st comment of: http://bsdly.blogspot.co.uk/2007/07/harvesting-noise-while-its-stil l-fresh.html OpenBSD's spamd + greyscanner rocks! These helpers work with spamd for bulk trap address loading: http://web.britvault.co.uk/products/abersnuik/ http://web.britvault.co.uk/products/spamdba/ I read something about distributing spamlist through bgp. http://bgp-spamd.net/index.html Someone tried ? I've vastly modified greyscanner to check DNS PTR records DNS RBLs. e.g: https://bitbucket.org/bonetruck/greyscanner/pull-request/5/ Nothing else is needed to filter incoming spam. signature.asc Description: This is a digitally signed message part.
