Mailing List Archive

limit ip-range for "pass" elements
Hello,

Sometimes I meet a badly configured SPF entries for domains, which
contain "+all" elements. I've also met a domain with entry like
this:

ip4:0.0.0.0/2 ip4:64.0.0.0/2 ip4:128.0.0.0/2 ip4:192.0.0.0/2

Looks like spammers are using such domains (or maybe even creating
them) to get extra anti-spam scores for their mailings.

I think some countermeasures might be introduced into libspf.

My concept is a configurable limit for class bits (eg. 16, 20 bits)
which would transfer the "pass" element to "neutral" state if the IP
class size is exceeded.


--
Wojtu¶.net


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
Re: limit ip-range for "pass" elements [ In reply to ]
On Sat, 7 Nov 2009 20:45:25 +0100 Wojciech Scigala <libspf2.org@wojtus.net>
wrote:
>Hello,
>
>Sometimes I meet a badly configured SPF entries for domains, which
>contain "+all" elements. I've also met a domain with entry like
>this:
>
>ip4:0.0.0.0/2 ip4:64.0.0.0/2 ip4:128.0.0.0/2 ip4:192.0.0.0/2
>
>Looks like spammers are using such domains (or maybe even creating
>them) to get extra anti-spam scores for their mailings.
>
>I think some countermeasures might be introduced into libspf.
>
>My concept is a configurable limit for class bits (eg. 16, 20 bits)
>which would transfer the "pass" element to "neutral" state if the IP
>class size is exceeded.
>
I think you are attacking the problem from the wrong end.

I think you should take note of such domains and mark all mail from them as
bad. This should be done at the application level, not in the library.

It's a good thing the spammers are telling you about a bad domain.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
Re: limit ip-range for "pass" elements [ In reply to ]
On Sat, Nov 07, 2009 at 02:55:30PM -0500, Scott Kitterman wrote:

> I think you should take note of such domains and mark all mail from them as
> bad. This should be done at the application level, not in the library.
>
> It's a good thing the spammers are telling you about a bad domain.
Well, I don't think that's a good approach. Firstly, that would need
a double, independent checking of SPF record (by libspf and
application). Secondly, numbers of these domains are hard to
estimate and maybe it would need a RBL-like solution.

Also, keep in mind that a spammer does not need to have any access
to the domain to abuse it's wrong SPF code.


--
Wojtu¶.net


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
Re: limit ip-range for "pass" elements [ In reply to ]
On Sat, 7 Nov 2009 21:25:17 +0100 Wojciech Scigala <libspf2.org@wojtus.net>
wrote:
>On Sat, Nov 07, 2009 at 02:55:30PM -0500, Scott Kitterman wrote:
>
>> I think you should take note of such domains and mark all mail from them
as
>> bad. This should be done at the application level, not in the library.
>>
>> It's a good thing the spammers are telling you about a bad domain.
>Well, I don't think that's a good approach. Firstly, that would need
>a double, independent checking of SPF record (by libspf and
>application). Secondly, numbers of these domains are hard to
>estimate and maybe it would need a RBL-like solution.
>
>Also, keep in mind that a spammer does not need to have any access
>to the domain to abuse it's wrong SPF code.
>
True, but it takes DNS access to publish such a record, so that's probably
good enough for me.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com