Mailing List Archive

Philip Prindeville <philipp_subx@redfish-solutions.com> writes:

> I'm looking at the 0.001 scoring for SPF_NONE and scratching my head. This was discussed a bit in early 2015, but maybe it needs revisiting with new perspective.
>
> Surely no one who cares about maintaining their reputation by
> protecting themselves against spoofing would fail to provide SPF
> records... So how is this score arrived at?
>
> And of Ham, how much of it has a valid SPF?
>
> And of Spam, how much of it lacks a valid SPF?
>
> Has anyone run some numbers?

I see 0.001 as a score that says: this might be a spam sign, we don't
know, and this way it shows up in reports, without really affecting
anything.

Lots of people think SPF is silly. And spammers spamming from a domain
they control can even dkim/dmarc. So I agree that actual data would be
interesting.

On Tue, Nov 30, 2021 at 11:47:36AM -0700, Philip Prindeville wrote:
> I'm looking at the 0.001 scoring for SPF_NONE and scratching my head. This was discussed a bit in early 2015, but maybe it needs revisiting with new perspective.

SPF is double edged sword. Sure, when it great to authenticate
envelope senders when it works, but:

- when used in combination with mailing list, plain message
forwarding etc. it will break with false positive, marking
(for example) this perfectly valid message of mine as a fake.
See https://en.wikipedia.org/wiki/Sender_Policy_Framework#FAIL_and_forwarding

This is the reason why you can only really use it for "SPF OK"
validation - "SPF FAIL" does not really tell you anything, as it
will happen as often for forged senders, as for valid senders.

This is why it will often end as "?all" or "~all" and not "-all"
(and/or soft DMARC policies)

- Also, envelope sender (on which SPF operates) is something
completely different thing from header "From:" which is what vast
majority of users will see, so it does not provide protection which
one might expect.
See https://en.wikipedia.org/wiki/Sender_Policy_Framework#Header_limitations

And this makes "SPF OK" much less useful then it sounds in theory.

- Then there are misconfigurations (hitting limit of max 10 DNS
lookups, SPF records which were setup once but not kept up-to-date,
etc).

Thus, SPF is IMHO not very usable for scoring on its own, but it does
have a useful purpose for creating custom SA rules and is often very
usable for short circuiting with whitelist_auth.

> Surely no one who cares about maintaining their reputation by protecting themselves against spoofing would fail to provide SPF records...

For example, I do not provide it on my few other e-mail accounts by
choice (especially most of them which deal with many mailing lists,
or with users which use non-SRS e-mail forwarding), as mere existence
of SPF there causes much more damage then the potential help it
brings.

> So how is this score arrived at?

That, I am not sure. Perhaps how well it is an indicator on
ham/spam corpuses run to determine scores in general in SA?

> And of Ham, how much of it has a valid SPF?

For my recent hams, I get this:

714 SPF_PASS=
128 SPF_NONE=
67 SPF_NEUTRAL_ALL=
9 SPF_FAIL=
1 SPF_SOFTFAIL=

So, about 1 message in 7 hams does not have SPF.

> And of Spam, how much of it lacks a valid SPF?

For recent spams that reach any kind of mailbox here (eg. not
hitting very-safe RBLs, and not having very high SA scores - ie.
having at least a minimum of potential for being misclassified
non-spam):

2291 SPF_PASS=
667 SPF_SOFTFAIL=
472 SPF_NONE=
353 SPF_FAIL=
154 SPF_NEUTRAL_ALL=
129 SPF_PERMERROR=
53 SPF_NEUTRAL=
17 SPF_TEMPERROR=

So, about 1 message in 9 spams does not have SPF.

In summary, there does not seem to be big difference between
adoption of SPF in spammers as opposed to legitimate users

--
Opinions above are GNU-copylefted.

>> So how is this score arrived at?

I believe that scores of 0.001 are generally manually set, and not intended
to be anything other than a visible marker that the rule hit. That is
probably the case here.

Loren

On 2021-11-30 at 13:47:36 UTC-0500 (Tue, 30 Nov 2021 11:47:36 -0700)
Philip Prindeville <philipp_subx@redfish-solutions.com>
is rumored to have said:

> Hi,
>
> I'm looking at the 0.001 scoring for SPF_NONE and scratching my head.
> This was discussed a bit in early 2015, but maybe it needs revisiting
> with new perspective.
>
> Surely no one who cares about maintaining their reputation by
> protecting themselves against spoofing would fail to provide SPF
> records...

Surely no one who cares about the security of their email would run
their own on-premises Exchange...

Having started my sysadmin career less than 30 years ago, I never have
been exposed to an Internet where the dominant visible feature of my
fellow admins has been operational competence. We're all a bunch of
bozos making stupid mistakes...

> So how is this score arrived at?

In theory, it is set in concert with all of the other default rules by
periodic analyses of the scoring of spam and ham corpora submitted by
members of the SA community. As a 'network' rule, it is only included in
analysis weekly.

In practice, it is nailed down at a tiny non-zero value because
otherwise it would not be "good enough" to publish and demand has been
expressed for its publication.

> And of Ham, how much of it has a valid SPF?

Recently: 90.1202%

> And of Spam, how much of it lacks a valid SPF?

Recently: 65.3614%

> Has anyone run some numbers?

Yes. See https://ruleqa.spamassassin.org/. The numbers above are drawn
from the last "network masscheck" accessible there.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Hellow Greg,

Greg Troxel <gdt@lexort.com> writes:

> [...]
> Lots of people think SPF is silly. And spammers spamming from a domain
> they control can even dkim/dmarc. So I agree that actual data would be
> interesting.

I totally agree with you, thanks!

Sincerely, Byung-Hee

--
^????? _????_ ?????_^))//

On 2021-11-30 12:24, Greg Troxel wrote:
> Lots of people think SPF is silly. And spammers spamming from a domain
> they control can even dkim/dmarc.

Domain based reputation is an extremely powerful tool, but it is only
useful when you know the actual sender of a message. The benefit isn't
in blocklisting, it is enabling legitimate mail to get through while you
can filter more aggressively.

This applies a lot less to smaller operations as you really need a large
amount of data (and the skills to use it), but even at small scales
being able to bypass spam filters for mail you know you want is
incredibly useful, especially when you want mail from a particular
company even though they use a garbage ESP or service provider that you
would really rather block.