SPF - Sender Policy Framework

Started by LogicX, September 13, 2004, 09:35:48 AM

Previous topic - Next topic

LogicX

Matt/ Everyone:

Whats your opinion of http://spf.pobox.com/" target="_blank">SPF?  Do you implement it? Do you feel everyone should?  IS it the 'right thing' to do?

Specifically as far as qmail/mail toaster is concerned -- Matt -- do you forsee http://wooledge.org/~greg/qmail-srs.html" target="_blank">implementing http://spf.pobox.com/srs.html" target="_blank">SRS (Sender Rewriting Scheme) in the toaster?

Theres a lot of http://it.slashdot.org/article.pl?sid=04/09/13/1317238&tid=172&tid=95&tid=218" target="_blank">buzz on SPF over at slashdot today, as the IETF just decided not to go with Microsoft's implementation.
--- May this post be indexed by spiders, and archived for all to see as my internet epitaph.
http://fpux.com" target="_blank">http://fpux.com


LogicX

I see a lot of my spam coming from legit looking domains

A quick survey through 5 spams in my box showed two of them have SPF configured, and the originating source of the spam did not validate against the info in the TXT record.

To me -- that seems like a good thing.

I understand its not end-all
but atleast it'll stop people from being confused by getting spam from domains they trust --

how about all the ebay/paypal scams that come in saying they're from paypal.com/ebay.com? -- those would not match ebay's SPF; and walla -- reject it.
--- May this post be indexed by spiders, and archived for all to see as my internet epitaph.
http://fpux.com" target="_blank">http://fpux.com

matt

I believe SPF is a good thing. I also plan to implement it in the Mail::Toaster, as soon as I'm comfortable that the implementation isn't going to cause toaster owners more harm than good. For the ones that need it now, there are beta grade patches out there that add SPF support.

Almost a year ago, I added SPF records to my DNS for several of my domains. While this doesn't add SPF to my mail server, it does enable other SPF enabled mail servers to prevent the reception of spoofed email from my domains. This is something everyone should do, regardless of whether they choose to use SPF.

I agree with the conclusions that SPF will not reduce spam, but it will certainly reduce spoofing, one of the most insidious of spams forms. If you've even been the recipient of a mail flood because some spamming pig forged your domain in his reply-to field, you'll understand what I mean.

I also think it'll help diagnose spam more easily as spammers will have to buy domains, set them up with SPF, and thus make them easy to identify via blacklists.

In conclusion, SPF isn't a magic pill, but rather a nice little addition to the spam tools in our arsenal.

netgeek


LogicX

http://spamassassin.apache.org" target="_blank">SpamAssassin 3.0 was released, which in its ChangeLog lists:
- SpamAssassin now includes support for SPF (the Sender Policy
Framework, http://spf.pobox.com/" target="_blank">http://spf.pobox.com/).
--- May this post be indexed by spiders, and archived for all to see as my internet epitaph.
http://fpux.com" target="_blank">http://fpux.com

matt

Just a note, SPF is integrated into Mail::Toaster now. Do a search on http://www.tnpi.biz/" target="_blank">http://www.tnpi.biz/ for SPF.

Matt

vantage255

Is anyone out there using the spamassassin spf filtering rules with success?

I am testing a system where I am allowind my users to enable and set the score of spf tests through the spamassassin DB. This seams to be working pretty well and has the added benefit that any user who complains can be pointed at their own conf settings as the culprit.

HI.   This is my .sig