Mailing List Archive

Victor Sudakov skrev den 2020-11-04 15:47:

> 0.0 SPF_FAIL SPF: sender does not match SPF record (fail)

feel free to add into local.cf

score SPF_FAIL (5) (5) (5) (5)

this will add 5 points to default score

i just think default score is made for spamass milter users with do
rejects of spam mails, but why not honner spf fail rejections, hmm

Please don't hijack existing threads.

On Wed, 4 Nov 2020 21:47:34 +0700
Victor Sudakov wrote:

> Dear Colleagues,
>
> Why does SpamAssassin (Debian 10, SpamAssassin 3.4.2) not count an SPF
> check fail as a symptom of spam? That's what I see in the spam
> report:
>
> 0.0 SPF_FAIL SPF: sender does not match SPF record
> (fail)
>
> No spam points for an SPF fail? And it's even a hard fail (a "-all")
> in this case.
>
> I can probably bump up the score for SPF_FAIL but would like to know
> first why it is a 0.0 by default. This was probably someone's
> well-grounded decision?

It was probably set a long time ago when the situation was worse, but
even now it doesn't do well in QA:

https://ruleqa.spamassassin.org/20201031-r1883012-n/SPF_FAIL/detail

With an S/O of 0.651 it's barely a spam indicator on its own. If you
look at the score map it's hitting a lot of ham that's not far below
the threshold (at least in score set 0).

On 4 Nov 2020, at 9:47, Victor Sudakov wrote:

> Dear Colleagues,
>
> Why does SpamAssassin (Debian 10, SpamAssassin 3.4.2) not count an SPF
> check fail as a symptom of spam? That's what I see in the spam report:
>
> 0.0 SPF_FAIL SPF: sender does not match SPF record (fail)
>
> No spam points for an SPF fail?

Technically that's 0.001, because it is used in 'meta' rules and so must not be scored at 0. With Bayes disabled it gets more weight: 0.919. Those appear to have been determined based on a "GA" rescore run some time ago. The latest network mass-check (https://ruleqa.spamassassin.org/20201031-r1883012-n/SPF_FAIL/detail) indicates that SPF_FAIL is not a very good performer on its own.

> And it's even a hard fail (a "-all") in
> this case.
>
> I can probably bump up the score for SPF_FAIL but would like to know
> first why it is a 0.0 by default. This was probably someone's
> well-grounded decision?


Yes.

1. Incorrect SPF records are not rare. Even '-all' records with some permitted IPs.

2. Traditional (/etc/aliases, ~/.forward, etc.) transparent forwarding breaks SPF.



--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Benny Pedersen wrote:
> Victor Sudakov skrev den 2020-11-04 15:47:
>
> > 0.0 SPF_FAIL SPF: sender does not match SPF record (fail)
>
> feel free to add into local.cf
>
> score SPF_FAIL (5) (5) (5) (5)
>
> this will add 5 points to default score

Is that sarcasm, Benny? I don't deserve it.

An SPF fail is by no means a sure sign of spam. It can be some indicator
of spamicity (as I thought), but not a decisive sign thereof.

Moreover, after reading other replies in the thread, I am even begining to
doubt the wizdom of rejecting hard SPF fails in the MTA (which I do in
some installations).

>
> i just think default score is made for spamass milter users with do rejects
> of spam mails, but why not honner spf fail rejections, hmm

--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

RW wrote:
>
> Please don't hijack existing threads.

Oh, sorry about that.

--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

On 05/11/2020 21:54, Victor Sudakov wrote:

> An SPF fail is by no means a sure sign of spam. It can be some indicator
> of spamicity (as I thought), but not a decisive sign thereof.

SPF was never designed to be anti-spam, although on face value it does
have that ability given that spammers impersonate domains, it is one of
many tools required required in that battle.

I was an early adopter of SPF, in its very very early stages, There are
some rare instances in early days where SPF may break in some forwarding
cases, but for well over a decade most forwarders re-write sender so its
not a problem, it's never been a problem with mailing lists for me
either, unlike DKIM, I've never experienced any deliverability problems
due to SPF, but YMMV.

Microsofts SRS however gave a lot of headaches with mailing lists and
was such a flop even Microsoft advises against its use.

> doubt the wizdom of rejecting hard SPF fails in the MTA

Why? Because a handful of people are too clueless to keep their records
up to date? They set those records in first place to prevent spoofing,
they know the risks they know if they change AS's or suppliers they have
to modify those records, I mean FFS, they change all other records to
new IP's don't they, so frankly they get what they deserve if they can't
be bothered.

>> i just think default score is made for spamass milter users with do rejects
>> of spam mails, but why not honner spf fail rejections, hmm

If they set a softfail, they dont really care if that domains is
spoofed, or it just isn't an important domain, I adjust my SA rules to
force softfails as spam , I hard reject hardfails on MTA, and I also
null out any and all whitelisting in SA,

trust must be earned, not assumed.

--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged
information, therefore at all times remains confidential and subject to
copyright protected under international law. You may not disseminate
this message without the authors express written authority to do so. If
you are not the intended recipient, please notify the sender then delete
all copies of this message including attachments immediately.
Confidentiality, copyright, and legal privilege are not waived or lost
by reason of the mistaken delivery of this message.

>> Victor Sudakov skrev den 2020-11-04 15:47:
>>
>> > 0.0 SPF_FAIL SPF: sender does not match SPF record (fail)

>Benny Pedersen wrote: feel free to add into local.cf
>> score SPF_FAIL (5) (5) (5) (5)
>>
>> this will add 5 points to default score

On 05.11.20 18:54, Victor Sudakov wrote:
>Is that sarcasm, Benny? I don't deserve it.
>
>An SPF fail is by no means a sure sign of spam. It can be some indicator
>of spamicity (as I thought), but not a decisive sign thereof.

we are aware of that. That's the main reason SPF_FAIL score is not high.

but you can to that and expect other rules to push score back to ham range.

>Moreover, after reading other replies in the thread, I am even begining to
>doubt the wizdom of rejecting hard SPF fails in the MTA (which I do in
>some installations).

you can still do that as policy decision.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.

Matus UHLAR - fantomas wrote:
> > > Victor Sudakov skrev den 2020-11-04 15:47:
> > >
> > > > 0.0 SPF_FAIL SPF: sender does not match SPF record (fail)
>
> > Benny Pedersen wrote: feel free to add into local.cf
> > > score SPF_FAIL (5) (5) (5) (5)
> > >
> > > this will add 5 points to default score
>
> On 05.11.20 18:54, Victor Sudakov wrote:
> > Is that sarcasm, Benny? I don't deserve it.
> >
> > An SPF fail is by no means a sure sign of spam. It can be some indicator
> > of spamicity (as I thought), but not a decisive sign thereof.
>
> we are aware of that. That's the main reason SPF_FAIL score is not high.
>
> but you can to that and expect other rules to push score back to ham range.

If I get users' complaints about false negatives and see that they could
have been prevented by setting a higher score for SPF_FAIL, I'll do that.

>
> > Moreover, after reading other replies in the thread, I am even begining to
> > doubt the wizdom of rejecting hard SPF fails in the MTA (which I do in
> > some installations).
>
> you can still do that as policy decision.

The practice of SRS is not widely adopted IMHO, so I shall prefer for
SPF_FAIL to be one of the many spamicity factors, and not a decisive
factor for rejection.

--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

On Thu, 5 Nov 2020, Victor Sudakov wrote:

> Moreover, after reading other replies in the thread, I am even begining to
> doubt the wizdom of rejecting hard SPF fails in the MTA (which I do in
> some installations).

"it depends".

Doing that for certain domains - like, large banks - would probably be a
good idea. By default, for all domains, not so much.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
4 days until The 82nd anniversary of Kristallnacht - disarmament enables genocide