On 15/08/14 18:54, Joe Quinn wrote:
On 8/15/2014 1:50 PM, David F. Skoll wrote:
On Fri, 15 Aug 2014 10:39:03 -0700 (PDT)
John Hardin <jhar...@impsec.org> wrote:
On Fri, 15 Aug 2014, David F. Skoll wrote:
SPF is so easy ("v=spf1 +all")
Doing *that* should be worth a point or two by itself.
Yes. I even through about implementing it, but there are so many ways
to achieve this:
v=spf1 +all
v=spf1 ip4:128.0.0.0/1 ip4:0.0.0.0/1
v=spf1 exists:openspf.org
... etc...
that we really need an SPF normalizing library that tells you what
percentage of IPv4 space would pass, and then add points for anyone
claiming
(say) that more than 1% of total IPv4 space is OK. (Though the exists:
mechanism is nasty; not sure you even can predict what percentage of
IPv4 is covered in complex cases.)
Regards,
David.
I guess the logical next question would be what proportion of spam uses
universal SPF to eke out negative points. Has anyone seen this sort of
thing in the wild?
I've been dealing with this outside of SA for quite a while now. Here's
the last month on my low volume dev box:
[root@mail1-ec2 Haraka]# grep -h 'ignoring SPF' /var/log/maillog* | tr
-s " " | cut -d" " -f8- | sort | uniq -c | sort -rn
590 [sender_auth] ignoring SPF Pass result: v=spf1 a +all
363 [sender_auth] ignoring SPF Pass result: v=spf1 mx ptr +all
86 [sender_auth] ignoring SPF Pass result: v=spf1 +all
62 [sender_auth] ignoring SPF Pass result: v=spf1 a mx +all
23 [sender_auth] ignoring SPF Pass result: v=spf1 ip4:17.0.0.0/8 ~all
4 [sender_auth] ignoring SPF Pass result: v=spf1 ip4:162.0.0.0/8
ip4:107.161.144.0/8 ~all
3 [sender_auth] ignoring SPF Pass result: v=spf1 ip4:0.0.0.0/1
ip4:130.0.0.0/1 ~all
3 [sender_auth] ignoring SPF Pass result: v=spf1 a mx ptr
mx:mail.windmedya.net ip4:46.235.13.163 +all
2 [sender_auth] ignoring SPF Pass result: v=spf1 a mx
ip4:69.16.157.128/25 +all
1 [sender_auth] ignoring SPF Pass result: v=spf1 mx
ip4:77.232.64.0/19 +all
1 [sender_auth] ignoring SPF Pass result: v=spf1 mx
ip4:183.91.18.234 +all
1 [sender_auth] ignoring SPF Pass result: v=spf1
include:_spf.uni5.net a mx ptr ip4:177.74.160.0/20 ip4:177.91.0.0/22
ip4:74.50.96.0/19 ip4:201.28.44.232/30 ip4:177.223.221.0/24
ip4:199.193.112.0/21 ip4:177.47.96.0/19 ip4:177.36.16.0/20
ip4:68.233.224.0/19 +all
1 [sender_auth] ignoring SPF Pass result: v=spf1
include:_spf.uni5.net a mx ptr ip4:177.74.160.0/20 ip4:177.91.0.0/22
ip4:177.47.96.0/19 ip4:177.36.16.0/20 +all
1 [sender_auth] ignoring SPF Pass result: v=spf1
include:spf-a.roh.org.uk include:spf-b.roh.org.uk +all
1 [sender_auth] ignoring SPF Pass result: v=spf1 a ptr
ip4:85.95.239.112 mx:mail.yunusemregroup.net +all
1 [sender_auth] ignoring SPF Pass result: v=spf1 a mx ptr
mx:mail.sakaryadental.com ip4:91.191.171.161 +all
1 [sender_auth] ignoring SPF Pass result: v=spf1 a
ip4:194.225.184.4 include:iums.ac.ir +all
I ignore and flag SPF Pass results where +all is set or if the netmask
on ip4: is /[0-8] - that obviously isn't perfect as it doesn't handle
the exists: case (which I admittedly hadn't thought of).
I'm doing this at the SMTP level; a quick look through the logs shows
that the top hitting pattern (v=spf1 a +all) is matching a lot of
invalid recipients or DNSBL blacklisted connections indicating that it's
a definite spam indicator.
Kind Regards,
Steve.