Re: SPF penetration
On Mittwoch, 22. März 2006 00:11 Sander Holthaus wrote: and it wouldn't surprise me if actively rejecting SPF-fails has the similar effects as strict RFC-enforcement or double reverse DNS-lookup. Lots less spam and lots more false positives. No, because 1) by forcing strict RFC, lots of HAM will be rejected, because lots of mailserver server is broken 2) 2revDNS just checks for the names whereas 3) SPF is quite easy to setup, and easy to check and control. Mailserver software is not touched, and it just breaks forwarding, so you have to allow all hosts that forward for your domain. That said, today I had another strange effect with SPF, where a mailing list on an SPF domain forwarded to it's users, some of them having redirections to other hosts which rejected the mail. But that was a misconfig, not the fault of SPF. I use SPF since quite a while, and it works well. I just got one report that mpay24.com has a mail list server which doesn't retry after a 4xx, but that's their problem. I reported them, they ignore it. Thats life. mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgpNd6qLAqqLR.pgp Description: PGP signature
Re: SPF penetration
On Mittwoch, 22. März 2006 18:47 Bazooka Joe wrote: with isp's blocking port 25 and requireing you to use thier mail server how are business going to enable spf of thier domain when thier employees could be sending mail from hundreds of different mail servers?? Use VPNs. Never allow anybody to send from servers not under your control with your domain name. If they got a virus|trojan|whatever and send SPAM, you could be blocked. Too bad. mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgpE7wfek6U1n.pgp Description: PGP signature
RE: SPF penetration
Matt Kettler wrote: Real numbers from last week: Total messages scanned by SA: 19268 Number of messages matching SPF_FAIL: 89 Number of messages matching SPF_SOFTFAIL 493 Number of messages matching SPF_NEUTRAL 200 Number of messages matching SPF_PASS 6064 These numbers are for the last ~16 hours (I just started logging nones) I check at MAIL FROM time using Mail::SPF::Query pass: 467 none: 3297 softfail: 139 fail: 106 error: 2 Notice my FAIL percentage is much higher. This is probably because my domain publishes a -all record, and the most-frequently-spoofed domain for mail I receive is my own. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
RE: SPF penetration
Matthew.van.Eerde wrote: pass: 467 none: 3297 softfail: 139 fail: 106 error: 2 Oops, forgot neutral none: 3357 pass: 486 neutral: 91 softfail: 140 fail: 110 error: 2 -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Re: SPF penetration
with isp's blocking port 25 and requireing you to use thier mail server how are business going to enable spf of thier domain when thier employees could be sending mail from hundreds of different mail servers??On 3/22/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:Matthew.van.Eerde wrote: pass: 467 none: 3297 softfail: 139 fail: 106 error: 2Oops, forgot neutralnone: 3357pass: 486neutral: 91softfail: 140fail: 110error: 2--Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902Hispanic Business Inc./HireDiversity.com Software Engineer
RE: SPF penetration
Bazooka Joe wrote: with isp's blocking port 25 and requireing you to use thier mail server how are business going to enable spf of thier domain when thier employees could be sending mail from hundreds of different mail servers?? No-one's holding a gun to their head. If they don't want to enable SPF, that's fine. SMTP AUTH on port 587 gets by the port 25 block v=spf1 +all is sort of a silly SPF record, but it works It all comes down to accountability. If a business allows its employees to send mail from anywhere, that's fine. That just means we can't distinguish legitimate mail from that business vs. spoofed mail from that business based on the sending relay. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Re: SPF penetration
[EMAIL PROTECTED] wrote: Matt Kettler wrote: Notice my FAIL percentage is much higher. This is probably because my domain publishes a -all record, and the most-frequently-spoofed domain for mail I receive is my own. I publish as soft-fail. That said, SA doesn't receive that much email spoofed from my domain. I whitelist my hosts by IP, then greylist anything attempting to use the local domain as a return path. This effectively knocks off most of the viruses, frauds and spams trying to forge my domain. I still get some, but I only get ones that can work their way past a greylist.
Re: SPF penetration
On Dienstag, 21. März 2006 06:28 jdow wrote: I'd hazard a guess that there is about as much spam that passes SPF tests as there is ham that passes SPF tests. I bet. SPF is NOT a means to check whether it's SPAM or HAM. It can just tell you if a sender host is permitted to send e-mail for the given domain, so you can prevent *forgery* of e-mails, which I find important. I don't want others to be able to send from @zmi.at, and every good mail server that checks SPF will never get a spoof. mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgpeQBcA9Bto3.pgp Description: PGP signature
Re: SPF penetration
jdow a écrit : I'd hazard a guess that there is about as much spam that passes SPF tests as there is ham that passes SPF tests. I'd follow. I even think there are more spammers with good spf than legit' people with spf. At least in the case of spam it means the blacklists mean something. one thing we know: spammers don't care if spf breaks forwarding...
Re: SPF penetration
Michael Monnerie a écrit : I bet. SPF is NOT a means to check whether it's SPAM or HAM. It can just tell you if a sender host is permitted to send e-mail for the given domain, so you can prevent *forgery* of e-mails, which I find important. I don't want others to be able to send from @zmi.at, and every good mail server that checks SPF will never get a spoof. maybe, but my server won't care. I will accept mail from @zmi.at from any host (I'll do scan it for spam, but I don't care where it came from, nor positively, nor negatively), and if the sender is one of my users, I'll forward it to you. if you're not happy, block list me. Let's balkanise the internet... but let's all play this game ;-p - if you wanna add spf records, do - if you wanna check spf, do but that's all.
Re: SPF penetration
On Dienstag, 21. März 2006 21:42 mouss wrote: - if you wanna add spf records, do - if you wanna check spf, do And if you don't care about spoofs, don't check it. mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgpjr4dKmhFNa.pgp Description: PGP signature
Re: SPF penetration
On Dienstag, 21. März 2006 21:35 mouss wrote: I'd follow. I even think there are more spammers with good spf than legit' people with spf. Could also be. SPF still doesn't help against SPAM, just against forgery. Where SPAM often tries to forge, but thats another story. one thing we know: spammers don't care if spf breaks forwarding... We have to adopt. As somebody mentioned in another thread: there was a time, when open relays where considered a good thing. Then came SPAM. mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgpuj1xd9c17H.pgp Description: PGP signature
Re: SPF penetration
Philip Prindeville wrote: Anyone have monthly numbers for the percentages of sites that have SPF turned on for their incoming messages? I.e. if you received 1000 messages last month... how many unique domains were represented, and of those, how many had SPF enabled? And how many messages turned out to be spoofed by the SPF failure test? Domains, not sure, but I can give you some numbers on messages. Real numbers from last week: Total messages scanned by SA: 19268 Number of messages matching SPF_FAIL: 89 Number of messages matching SPF_SOFTFAIL 493 Number of messages matching SPF_NEUTRAL 200 Number of messages matching SPF_PASS 6064 Note however: I greylist most dynamic hosts, so I'll get a lot less SPF failures than most folks. Even so, only 31% of my mail comes from domains that support SPF. Strangely, the SPF_FAIL matches don't come from a small number of domains.. At casual glance, there's not that many duplicates. Some of them are even SPF failures for SURBL listed spam domains! Here's a small sampling of domains that the 89 spf failures were spread across: passport.yandex.ru gmx.ch tm.net.my tlen.pl charter.com zx.com mail.offermonkey-zz.com fastnbetter.com mail.rick-list.net buss.com angelfire.com Here's some SPF_FAILs that were forging domains listed in URIBLs (munged to avoid being bounced by the list, since even mentioning a domain that's on a lot (ie: 4) of SURBL lists is enough score to break the list's 10-point limit) ihllywd*MUNGED-WS_BLACK*.com sureroad*MUNGED-WS_BLACK*.com outpostsmem*MUNGED-WS_OB*.com dizclck*MUNGED-WS_BLACK*.com gatebuys*MUNGED-WS_BLACK*.com hollygwired*MUNGED-WS*.com 19co19*MUNGED-BLACK*.com 17co17*MUNGED-BLACK*.com Note: I munged them with the names of the URIBLs that list them. BLACK is uribl.com's black WS and OB are the respective lists on surbl.org
Re: SPF penetration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Monnerie wrote: On Dienstag, 21. März 2006 21:35 mouss wrote: I'd follow. I even think there are more spammers with good spf than legit' people with spf. Could also be. SPF still doesn't help against SPAM, just against forgery. Where SPAM often tries to forge, but thats another story. one thing we know: spammers don't care if spf breaks forwarding... We have to adopt. As somebody mentioned in another thread: there was a time, when open relays where considered a good thing. Then came SPAM. mfg zmi SPF is just another tool to help against spam/phising/virusses, but that is it. It won't or can't stop them, and it wouldn't surprise me if actively rejecting SPF-fails has the similar effects as strict RFC-enforcement or double reverse DNS-lookup. Lots less spam and lots more false positives. Kind regards, Sander Holthaus -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (MingW32) iD8DBQFEIIgwVf373DysOTURAvNHAKCbMYrYRR5Ei7Zrwbi+sDsEb4ru0ACdEu9Z cmlVUP4MFEXf4bjtL6Avw28= =o24w -END PGP SIGNATURE-
Re: SPF penetration
From: Michael Monnerie [EMAIL PROTECTED] And if you don't care about spoofs, don't check it. Not long ago I learned about a malformed spf spoof trick that allowed spam through from addresses not normally allowed to send it directly. {^_^}
SPF penetration
Anyone have monthly numbers for the percentages of sites that have SPF turned on for their incoming messages? I.e. if you received 1000 messages last month... how many unique domains were represented, and of those, how many had SPF enabled? And how many messages turned out to be spoofed by the SPF failure test? Thanks, -Philip
Re: SPF penetration
From: Philip Prindeville [EMAIL PROTECTED] Anyone have monthly numbers for the percentages of sites that have SPF turned on for their incoming messages? I.e. if you received 1000 messages last month... how many unique domains were represented, and of those, how many had SPF enabled? And how many messages turned out to be spoofed by the SPF failure test? I'd hazard a guess that there is about as much spam that passes SPF tests as there is ham that passes SPF tests. At least in the case of spam it means the blacklists mean something. {o.o}