Mailing List Archive: Blacklisting Bad SPF Records

Blacklisting Bad SPF Records

Mar 4, 2007, 2:31 AM

Post #1 of 10 (4118 views)

I have read of may comments by the nay-sayers of SPF of how it would be
possible for spammers to use disposable domains and other such tricks to
achieve their aims and use SPF to their benefit.

Spam policies seem to bless SPF validated domains with lower spam scores
but despite this I have not seen this kind of abuse once in all the
months that I have been running SPF checks on my severs.

That said - something that I am noticing is spammers taking advantage of
very open SPF policies of some domains. Some as bad as +all!
Often the spammers are using completely random local parts on the
mail-from addresses so no one at the offending domain is subjected to
the backscatter produced. The domains involved are often being run by
inexperienced admins - who would not be the type of people to pour over
their server logs.

So my question:
How do we go about both educating the nieve admins as well as
encouraging them to make their records more focused and less prone to abuse?

Blacklisting based on the domain is the first thing that comes to mind -
but I am not convinced that it is an ideal solution. Many of the current
RBL's have continuous problems dictating their policies for 'where the
line is drawn' and then trying to implement that without making both
senders and receivers of mail rather annoyed.
--

Graham Beneke
Apolix Internet Services

E-Mail/MSN/Jabber: graham@apolix.co.za <mailto:graham@apolix.co.za>
Cell: 082-432-1873 <callto://+27824321873>
Skype: grbeneke <callto://grbeneke>
WEB: www.apolix.co.za <http://www.apolix.co.za/>

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

Re: Blacklisting Bad SPF Records [ In reply to ]

julian at mehnle

Mar 4, 2007, 3:07 AM

Post #2 of 10 (4013 views)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Graham Beneke wrote:
> [...]
> That said - something that I am noticing is spammers taking advantage of
> very open SPF policies of some domains. Some as bad as +all!
> [...]
> How do we go about both educating the nieve admins as well as
> encouraging them to make their records more focused and less prone to
> abuse?
>
> Blacklisting based on the domain is the first thing that comes to mind -
> but I am not convinced that it is an ideal solution. Many of the current
> RBL's have continuous problems dictating their policies for 'where the
> line is drawn' and then trying to implement that without making both
> senders and receivers of mail rather annoyed.

I think dynamic domain-based reputation systems with good feedback/
complaint features are the solution. If a domain authorizes "the world" to
send mail on their behalf, any abuse of that authorization is their
problem. However, as long as reputation systems refrain from pronouncing
"death penalties" (i.e. _permanent_ blacklistings), a domain owner will
always have the chance to fix their sender policy and regain a good
reputation.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF6qhlwL7PKlBZWjsRAuAHAJ9CoJPyKISBOStv49Wv1vIb/SI0rgCg8WCf
/FTc041ey4duoOIczBYx4xk=
=rGxK
-----END PGP SIGNATURE-----

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

Re: Blacklisting Bad SPF Records [ In reply to ]

nobody at xyzzy

Mar 4, 2007, 5:01 AM

Post #3 of 10 (4028 views)

Graham Beneke wrote:

> Spam policies seem to bless SPF validated domains with lower spam
> scores but despite this I have not seen this kind of abuse once
> in all the months that I have been running SPF checks on my severs.

Sooner or later it will happen. A radical idea would be to rename
FAIL to REJECT (please), and PASS to MAY BOUNCE (if necessary), but
of course it's too late for this, and it won't work for HELO PASS,
let alone for the useless (if from an unknown stranger) PRA PASS.

> So my question:
> How do we go about both educating the nieve admins as well as
> encouraging them to make their records more focused and less prone
> to abuse?

Maybe policy validators could determine how many IPs (in percent of
the IPv4 space) are permitted by a policy, and flag anything with
more than 1% as "probably too broad to be really useful".

> Blacklisting based on the domain is the first thing that comes to
> mind - but I am not convinced that it is an ideal solution.

Nor me, spammers have almost endless resources of disposable domains.
I've no idea what to do with a case like bell.ca, "write to their
postmaster" sounds silly.

Frank

bell.ca text = "v=spf1 mx ip4:198.235.69.10 ip4:198.235.69.45
ip4:198.235.69.46 ip4:206.47.0.168 ip4:206.47.0.173
ip4:206.47.0.177 ip4:207.236.237.0/25 ip4:67.70.214.43
ip4:216.18.99.22 ip4:69.156.197.234 ip4:66.241.131.163 +all"

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

Re: Blacklisting Bad SPF Records [ In reply to ]

scott at kitterman

Mar 4, 2007, 11:41 AM

Post #4 of 10 (4010 views)

On Sunday 04 March 2007 05:31, Graham Beneke wrote:
> I have read of may comments by the nay-sayers of SPF of how it would be
> possible for spammers to use disposable domains and other such tricks to
> achieve their aims and use SPF to their benefit.
>
> Spam policies seem to bless SPF validated domains with lower spam scores
> but despite this I have not seen this kind of abuse once in all the
> months that I have been running SPF checks on my severs.

This was done initially when SPF was deployed, but people learned better
quickly.

> That said - something that I am noticing is spammers taking advantage of
> very open SPF policies of some domains. Some as bad as +all!
> Often the spammers are using completely random local parts on the
> mail-from addresses so no one at the offending domain is subjected to
> the backscatter produced. The domains involved are often being run by
> inexperienced admins - who would not be the type of people to pour over
> their server logs.
>
> So my question:
> How do we go about both educating the nieve admins as well as
> encouraging them to make their records more focused and less prone to
> abuse?

Help us make the web site better. Anyone can contribute.

> Blacklisting based on the domain is the first thing that comes to mind -
> but I am not convinced that it is an ideal solution. Many of the current
> RBL's have continuous problems dictating their policies for 'where the
> line is drawn' and then trying to implement that without making both
> senders and receivers of mail rather annoyed.

In the end, this is where I think things head, but with a scored reputation
basis rather than a binary blacklisted, not.

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

Re: Blacklisting Bad SPF Records [ In reply to ]

julian at mehnle

Mar 4, 2007, 2:54 PM

Post #5 of 10 (4017 views)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Ellermann wrote:
> Maybe policy validators could determine how many IPs (in percent of
> the IPv4 space) are permitted by a policy, and flag anything with
> more than 1% as "probably too broad to be really useful".

I have been thinking about such a "specificity" metric in the past, but
gave up the idea as soon as I started thinking about "exists:" and "ptr:".

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF604wwL7PKlBZWjsRAobTAJ9jcXjXQSRKDIjnzMMtzA+Mr0lAbQCeLWpC
AVMNZSo72HB6PYYdy/EDbf8=
=/9lP
-----END PGP SIGNATURE-----

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

Re: Blacklisting Bad SPF Records [ In reply to ]

Mar 5, 2007, 6:41 AM

Post #6 of 10 (4024 views)

On Sun, 4 Mar 2007, Graham Beneke wrote:

> Blacklisting based on the domain is the first thing that comes to mind -
> but I am not convinced that it is an ideal solution. Many of the current
> RBL's have continuous problems dictating their policies for 'where the
> line is drawn' and then trying to implement that without making both
> senders and receivers of mail rather annoyed.

Pymilter tracks the shades of grey between blacklist and whitelist.
The reputation of each domain is tracked independently for each SPF result
(after rejecting FAIL). Currently, after 24 spams (and no hams) from a
disposable domain, that domain starts getting rejected. (Confidence
decays over time, eventually allowing a mail from the domain again.)

This is mainly an efficiency improvement. The spam/ham is decided by
a content filter (which is auto-trained based on whitelisted emails for ham
and blacklisted/honeypot emails for spam). By rejecting in SMTP envelope,
we save bandwidth, and there are far fewer entries in quarantine (making
finding the rare false positive much easier).

The piece that SPF brings to the equation is a way to assign "blame" for
the spam to domains rather than IPs.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

Re: Blacklisting Bad SPF Records [ In reply to ]

nobody at xyzzy

Mar 5, 2007, 7:14 AM

Post #7 of 10 (4018 views)

Julian Mehnle wrote:

> gave up the idea as soon as I started thinking about
> "exists:" and "ptr:".

You could exclude policies using these advanced features.

Another idea I had: SPF policies permiting private or
broadcast IPs are utter dubious, if a policy permits say
127.255.255.255 there could be a warning or a note.

Frank

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

Re: Blacklisting Bad SPF Records [ In reply to ]

Mar 5, 2007, 1:20 PM

Post #8 of 10 (4021 views)

Stuart D. Gathman wrote:
> On Sun, 4 Mar 2007, Graham Beneke wrote:
>
> The piece that SPF brings to the equation is a way to assign "blame" for
> the spam to domains rather than IPs.
>
Was just thinking about these implications today...
In IP blacklisting there are often 3rd parties that get "caught in the
crossfire" so to speak - particularly on shared hosting servers which
are quite prevelant. Whereas when an SPF domain gets abused (either due
to throw-away domains or a weak policy) the blame is directly assignable
and will not affect users outside of the administrative umbrella of that
domain.

Come to think of it a public domain based reputation list (both black
and white) may actually be very effective. When a domain gets listed for
abuse and the admin comes back and says "but we never sent that mail" as
is so common with spoofed mail - we have the protection that we can say
"you have explicitly taken responsibility for mail from those IP
addresses and you must either fix your servers or exclude the machines
from your SPF record"

Are there any public domain based reputation lists? Or would anyone be
interesting in working on setting one up?

Graham Beneke

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

Re: Blacklisting Bad SPF Records [ In reply to ]

Mar 5, 2007, 1:49 PM

Post #9 of 10 (4013 views)

On Mon, 5 Mar 2007, Graham Beneke wrote:

> Are there any public domain based reputation lists? Or would anyone be
> interesting in working on setting one up?

Based on what happened to spamcop, there is a legal risk to any
public blacklist. I wouldn't want to make my GOSSiP data public.

GOSSiP provides a rating from -100..100, and a confidence from 0..100.

The current protocol is a tcp connection. It could be made more efficient
as a UDP protocol.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

Re: Blacklisting Bad SPF Records [ In reply to ]

scott at kitterman

Mar 5, 2007, 2:02 PM

Post #10 of 10 (4025 views)

On Monday 05 March 2007 16:49, Stuart D. Gathman wrote:
> On Mon, 5 Mar 2007, Graham Beneke wrote:
> > Are there any public domain based reputation lists? Or would anyone be
> > interesting in working on setting one up?
>
> Based on what happened to spamcop, there is a legal risk to any
> public blacklist. I wouldn't want to make my GOSSiP data public.
>
I'd suggest working with an existing RBL provider because they will have the
legal structure in place.

Scott K

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735