Mailing List Archive

ram wrote:
> Hi,
> I have been using SPF with spamassasin for my mailservers.
> Unfortunately far too many domains do not put up SPF records. In order
> to combat forged spams I plan to implement Domain keys too ( perl DK
> plugin for SA)

Assuming that you're using a non-ancient version of SA and can install a
current version of Mail::DKIM, you are far better off using the DKIM
plugin instead of the DK plugin.

Daryl

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com

On Thursday 24 May 2007 01:03, ram wrote:
> Hi,
> I have been using SPF with spamassasin for my mailservers.
> Unfortunately far too many domains do not put up SPF records. In order
> to combat forged spams I plan to implement Domain keys too ( perl DK
> plugin for SA)
> Personally I dont see too much value in DK but I am surprised quiet a
> few people do use DK
>
> http://news.com.com/2100-1029_3-6185904.html
>
>
> Anyone of you using SPF and DK together. What are the problems I should
> look out for ? Or is DK going to give me any real improvement
>
>
The only way DK/DKIM is really going to be useful to you, I think, is if a
domain asserts that it signs all messages throught the DK (or as yet
unwritten) DKIM policy components. AFAIK, none do.

I've not looked into the Spamassassin implementation, but I'd imagine tagging
messages from known signers such as Yahoo! that didn't have a signature might
be useful.

Scott K

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com

Scott Kitterman wrote:
> On Thursday 24 May 2007 01:03, ram wrote:
>
>> Hi,
>> I have been using SPF with spamassasin for my mailservers.
>> Unfortunately far too many domains do not put up SPF records. In order
>> to combat forged spams I plan to implement Domain keys too ( perl DK
>> plugin for SA)
>> Personally I dont see too much value in DK but I am surprised quiet a
>> few people do use DK
>>
>> http://news.com.com/2100-1029_3-6185904.html
>>
>>
>> Anyone of you using SPF and DK together. What are the problems I should
>> look out for ? Or is DK going to give me any real improvement
>>

DKIM should give you some improvement in autentication reliability if
you receive any mail through a forwarder. For legacy reasons, much of
my home email is forwarded from my college alumni address; all of these
messages have broken SPF but would potentially pass DKIM if they were
signed.
>>
>>
> The only way DK/DKIM is really going to be useful to you, I think, is if a
> domain asserts that it signs all messages throught the DK (or as yet
> unwritten) DKIM policy components. AFAIK, none do.
>

We see some domains using the DK policy mechanism, but it's not useful
for us because we're verifying DKIM and not DK. But it is true that SPF
includes a policy mechanism that is currently lacking from DKIM.
> I've not looked into the Spamassassin implementation, but I'd imagine tagging
> messages from known signers such as Yahoo! that didn't have a signature might
> be useful.
>

I haven't looked into the Spamassassin implementation either, but a
useful capability would be to allow creation of a local whitelist of
known reliable domains. If messages coming from one of these domains is
authenticated (using whatever technology), give it a positive score or
bypass content filtering entirely. This doesn't require the use of any
policy mechanism, and helps with the false positives problem.

-Jim

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com

Jim Fenton wrote:
> Scott Kitterman wrote:

>> I've not looked into the Spamassassin implementation, but I'd imagine tagging
>> messages from known signers such as Yahoo! that didn't have a signature might
>> be useful.

We're considering doing this for a few domains (eBay comes to mind) once
we have reliable confirmation that the domains both (i) think they want
us to do it, and (ii) are reliably signing things so we can do it
without creating a support nightmare for us because of problems at the
signing domain.


> I haven't looked into the Spamassassin implementation either, but a
> useful capability would be to allow creation of a local whitelist of
> known reliable domains. If messages coming from one of these domains is
> authenticated (using whatever technology), give it a positive score or
> bypass content filtering entirely. This doesn't require the use of any
> policy mechanism, and helps with the false positives problem.

We've done this since day one for DKIM, a couple years ago for SPF and
recently for DK (I was hoping it would die faster).

SA 3.2.0 also includes a "whitelist_auth" option that allows you to
whitelist based on DKIM/DK/SPF without the user having to know which of
DKIM/DK/SPF the domain uses.


Daryl

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com

On Thursday 24 May 2007 13:38, Jim Fenton wrote:
> Scott Kitterman wrote:
> > On Thursday 24 May 2007 01:03, ram wrote:
> >> Hi,
> >> I have been using SPF with spamassasin for my mailservers.
> >> Unfortunately far too many domains do not put up SPF records. In order
> >> to combat forged spams I plan to implement Domain keys too ( perl DK
> >> plugin for SA)
> >> Personally I dont see too much value in DK but I am surprised quiet a
> >> few people do use DK
> >>
> >> http://news.com.com/2100-1029_3-6185904.html
> >>
> >>
> >> Anyone of you using SPF and DK together. What are the problems I should
> >> look out for ? Or is DK going to give me any real improvement
>
> DKIM should give you some improvement in autentication reliability if
> you receive any mail through a forwarder. For legacy reasons, much of
> my home email is forwarded from my college alumni address; all of these
> messages have broken SPF but would potentially pass DKIM if they were
> signed.

Agreed. I see potential in this kind of approach, the trick being exactly how
to combine the two.

I am currently wrestling with coding integration of SPF HELO and Mail From
checking and that's hard enough.

There's some good work to be done on this.

Scott K

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com

On Thu, 2007-05-24 at 17:59 -0400, Scott Kitterman wrote:
> On Thursday 24 May 2007 13:38, Jim Fenton wrote:
> > Scott Kitterman wrote:
> > > On Thursday 24 May 2007 01:03, ram wrote:
> > >> Hi,
> > >> I have been using SPF with spamassasin for my mailservers.
> > >> Unfortunately far too many domains do not put up SPF records. In order
> > >> to combat forged spams I plan to implement Domain keys too ( perl DK
> > >> plugin for SA)
> > >> Personally I dont see too much value in DK but I am surprised quiet a
> > >> few people do use DK
> > >>
> > >> http://news.com.com/2100-1029_3-6185904.html
> > >>
> > >>
> > >> Anyone of you using SPF and DK together. What are the problems I should
> > >> look out for ? Or is DK going to give me any real improvement
> >
> > DKIM should give you some improvement in autentication reliability if
> > you receive any mail through a forwarder. For legacy reasons, much of
> > my home email is forwarded from my college alumni address; all of these
> > messages have broken SPF but would potentially pass DKIM if they were
> > signed.
>
> Agreed. I see potential in this kind of approach, the trick being exactly how
> to combine the two.
>
> I am currently wrestling with coding integration of SPF HELO and Mail From
> checking and that's hard enough.
>
> There's some good work to be done on this.
>
> Scott K

What MTA are you using. If you find any good implementation of SPF for
postfix please let me know. I have written my own milter (not-yet-live)
but I am looking for some ready tool

Thanks
Ram




-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com