Ok, i see now. Not too long ago, spf was identifying spam based on the SPFPass. They were spoofing their from. Now, I am seeing more commercial spam coming from bots with a from domain using a +all spf.
I still use SPFPass to disqualify some other spam checks. Server checks the From address to be sure it exists on the server. If it doesn't exist, it's either spoofed or it is a sender without a reply email (a web app - a forum)
More and more forums have installed spf records. So I can use the SPFPass to disqualify the non-existant From check.
If Header contains X-VALFROM AND Header does not contain X-SPFPass Then mark as spam.
I am now doing some log statistics on all +all records found. All of the MAIL FROM domains look like commercial spam domains. I am testing the addition of these MAIL FROM domains to my server's kill list.
All of these had +all spf records.
@24zoom.de
@beted.com
@brokenframes.net
@chathasen.de
@domain136.com
@euroservis.de
@fayar.net
@from-japan.net
@gambo-ad.com
@iait.de
@japan-bio.com
@justice.gc.ca
@karldewazien.com
@k-seek.com
@leftbank.uk.com
@mccormick.ie
@nema.de
@racesimulations.com
@yopboy.com
@zcard.com
mg@knology.net
@johangronborg.com
@fordasc.com
@donofrocarroll.com
@egyptmotorsport.com
@greatestcleveland.com
@karenscustomjewelry.com
@atdatarecovery.com
@condfederateyankee.com
@worldandimag.com
@muziekschoolheemskerk.com
@tagagiant.com
@usaevoter.com
@applyonjohn.com
@capecoralrehab.com
@diversityrecordsltd.com
@emagineatlanta.com
@faroutclassics.com
@josiebailbond.com
@krattan.com
@maecontract.com
@micamcmullen.com
@militarycomm.com
@powaymufflerbrake.com
@regeur.com
@romayaesf.com
@skshbuffer.com
@theridenourco.com
@yihaifeed.com
--troy
---------- Original Message ----------------------------------
From: "Peter Bowyer" <peter@bowyer.org>
Reply-To: spf-discuss@v2.listbox.com
Date: Thu, 6 Sep 2007 09:15:51 +0100
>On 06/09/07, Troy Fuqua <troy@visiblepulse.com> wrote:
>> The spammers are registering mail domains and setting +all SPF records. Then the bots can push the spam through.
>>
>> oh noes.
>>
>> why was +all allowed to be in there?
>
>So you can be sure that the mail you're receiving is authorised by the
>domain that's sending it. Same as all the other mechanisms.
>
>The question you should be asking is why you trust mail that is
>authorised by bigspammer.com. The simple fact of an SPF PASS is only
>really useful when used in conjunction with a reputation system based
>on domain (check out www.karmasphere.com for one such), or simply on
>whether you want to receive the mail (a local whitelist).
>
>--
>Peter Bowyer
>Email: peter@bowyer.org
>
>-------------------------------------------
>-----------------------------------------------------------------------
>Sender Policy Framework: http://www.openspf.org/
>Archives at http://archives.listbox.com/spf-discuss/current/
>To unsubscribe, change your address, or temporarily deactivate your
>subscription,
>please go to http://v2.listbox.com/member/?list_id=735
>Powered by Listbox: http://www.listbox.com
>
-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework:
http://www.openspf.org/ Archives at
http://archives.listbox.com/spf-discuss/current/ To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?list_id=735 Powered by Listbox:
http://www.listbox.com