On 24-9-2018 17:13, Adam Katz wrote:
These SPF records are all effectively equivalent (the fourth is Sender
ID <https://en.wikipedia.org/wiki/Sender_ID>, we'll get to #5 later):
v=spf1 +all
v=spf1 all
v=spf1 all 192.0.2.0/24
v=spf2.0/mfrom +all
v=spf1 1.2.3.0/1 128.4.5.0/2 192.6.7.8/3 -all
So therefore I propose regexps like |/^v=spf[12].*[\s+]all\b/| and
|/^v=spf[12].*\s\?all\b/| (the latter should be very rare and a better
indication of a clueless admin than a spammer).
The fifth item above permits 0.0.0.0 to 223.255.255.255 and therefore
only multicast and the reserved Class E network are banned. To address
this, consider |/^v=spf[12].*[0-9]\/[0-7]\b/|. I haven't observed this
sort of workaround (yet), but it's the attackers' logical escalation
in response to this. (I conservatively chose a max mask of /7, though
I don't think there's any legitimate use of /8, even by the remaining
Class A holders
<https://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks#List_of_assigned_/8_blocks>
like AT&T, HP, and the US DoD—nobody /should/ have an email network
even approaching a /16 let alone a /8, though note that Google
currently includes three /16s. I'm not sure where to draw a similar
"too large" threshold for IPv6; perhaps /32?)
-Adam (still here, sometimes)
A better idea might be testing if SPF for a external domain would pass
on your own server.
This is what milter greylist does.
http://hcpnet.free.fr/milter-greylist/
Though probably exceptional, according to the RFC +all *can be*
restrictive...
https://tools.ietf.org/html/rfc7208
A.4. Multiple Requirements Example
Say that your sender policy requires both that the IP address is
within a certain range and that the reverse DNS for the IP matches.
This can be done several ways, including the following:
example.com. SPF ( "v=spf1 "
"-include:ip4._spf.%{d} "
"-include:ptr._spf.%{d} "
"+all" )
ip4._spf.example.com. SPF "v=spf1 -ip4:192.0.2.0/24 +all"
ptr._spf.example.com. SPF "v=spf1 -ptr +all"
This example shows how the "-include" mechanism can be useful, how an
SPF record that ends in "+all" can be very restrictive, and the use
of De Morgan's Law.
--
b.
