Mailing List Archive

Troy Fuqua wrote:
> The spammers are registering mail domains and setting +all SPF records. Then the bots can push the spam through.

Push the spam through what? Why would you accept mail just because it
passes an SPF check?

> oh noes.
>
> why was +all allowed to be in there?

Same reason why ip4:0/0 was.


Daryl

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com

On Wednesday 05 September 2007 23:56, Troy Fuqua wrote:
> The spammers are registering mail domains and setting +all SPF records.
> Then the bots can push the spam through.
>
> oh noes.
>
> why was +all allowed to be in there?

Why would you accept mail just because it has an SPF Pass. All SPF Pass means
is that the domain owner authorized the server to send mail. It says nothing
about if the mail is spam or not. SPF Pass can give you a useful name to use
for name based whitelisting.

The converse, however, mail that fails SPF does tend to have a pretty strong
correlation with SPAM.

+all was allowed because there's no point in not allowing it. It is easy
enough to craft an SPF record that matches the entire internet, but does not
obviously do so. Removing +all would have created a special case that would
have made programming SPF libraries more complex and provided no actual
benifit.

Scott K

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com

On 06/09/07, Troy Fuqua <troy@visiblepulse.com> wrote:
> The spammers are registering mail domains and setting +all SPF records. Then the bots can push the spam through.
>
> oh noes.
>
> why was +all allowed to be in there?

So you can be sure that the mail you're receiving is authorised by the
domain that's sending it. Same as all the other mechanisms.

The question you should be asking is why you trust mail that is
authorised by bigspammer.com. The simple fact of an SPF PASS is only
really useful when used in conjunction with a reputation system based
on domain (check out www.karmasphere.com for one such), or simply on
whether you want to receive the mail (a local whitelist).

--
Peter Bowyer
Email: peter@bowyer.org

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com

Ok, i see now. Not too long ago, spf was identifying spam based on the SPFPass. They were spoofing their from. Now, I am seeing more commercial spam coming from bots with a from domain using a +all spf.

I still use SPFPass to disqualify some other spam checks. Server checks the From address to be sure it exists on the server. If it doesn't exist, it's either spoofed or it is a sender without a reply email (a web app - a forum)

More and more forums have installed spf records. So I can use the SPFPass to disqualify the non-existant From check.

If Header contains X-VALFROM AND Header does not contain X-SPFPass Then mark as spam.


I am now doing some log statistics on all +all records found. All of the MAIL FROM domains look like commercial spam domains. I am testing the addition of these MAIL FROM domains to my server's kill list.

All of these had +all spf records.

@24zoom.de
@beted.com
@brokenframes.net
@chathasen.de
@domain136.com
@euroservis.de
@fayar.net
@from-japan.net
@gambo-ad.com
@iait.de
@japan-bio.com
@justice.gc.ca
@karldewazien.com
@k-seek.com
@leftbank.uk.com
@mccormick.ie
@nema.de
@racesimulations.com
@yopboy.com
@zcard.com
mg@knology.net
@johangronborg.com
@fordasc.com
@donofrocarroll.com
@egyptmotorsport.com
@greatestcleveland.com
@karenscustomjewelry.com
@atdatarecovery.com
@condfederateyankee.com
@worldandimag.com
@muziekschoolheemskerk.com
@tagagiant.com
@usaevoter.com
@applyonjohn.com
@capecoralrehab.com
@diversityrecordsltd.com
@emagineatlanta.com
@faroutclassics.com
@josiebailbond.com
@krattan.com
@maecontract.com
@micamcmullen.com
@militarycomm.com
@powaymufflerbrake.com
@regeur.com
@romayaesf.com
@skshbuffer.com
@theridenourco.com
@yihaifeed.com


--troy



---------- Original Message ----------------------------------
From: "Peter Bowyer" <peter@bowyer.org>
Reply-To: spf-discuss@v2.listbox.com
Date: Thu, 6 Sep 2007 09:15:51 +0100

>On 06/09/07, Troy Fuqua <troy@visiblepulse.com> wrote:
>> The spammers are registering mail domains and setting +all SPF records. Then the bots can push the spam through.
>>
>> oh noes.
>>
>> why was +all allowed to be in there?
>
>So you can be sure that the mail you're receiving is authorised by the
>domain that's sending it. Same as all the other mechanisms.
>
>The question you should be asking is why you trust mail that is
>authorised by bigspammer.com. The simple fact of an SPF PASS is only
>really useful when used in conjunction with a reputation system based
>on domain (check out www.karmasphere.com for one such), or simply on
>whether you want to receive the mail (a local whitelist).
>
>--
>Peter Bowyer
>Email: peter@bowyer.org
>
>-------------------------------------------
>-----------------------------------------------------------------------
>Sender Policy Framework: http://www.openspf.org/
>Archives at http://archives.listbox.com/spf-discuss/current/
>To unsubscribe, change your address, or temporarily deactivate your
>subscription,
>please go to http://v2.listbox.com/member/?list_id=735
>Powered by Listbox: http://www.listbox.com
>

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com

Not only are the spammers using +all, but the more clever ones are using
several ip4 mechanisms with very broad CIDR specifications so that when
you put them all together, they end up being ip4:0.0.0.0/0.

While one can detect a Pass being returned by +all easily, doing so with
an aggregate of ip4's is far more difficult.

--Marc

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com

On Thursday 06 September 2007 12:50, Marc Chametzky wrote:
> Not only are the spammers using +all, but the more clever ones are using
> several ip4 mechanisms with very broad CIDR specifications so that when
> you put them all together, they end up being ip4:0.0.0.0/0.
>
> While one can detect a Pass being returned by +all easily, doing so with
> an aggregate of ip4's is far more difficult.
>
Which is the exact answer to why there isn't a special rule to disallow +all.

BTW, not all (or even most - or even any of the onese I checked) of the
domains you said were +all in your last message have +all.

knology.net is one good example:

knology.net. 33145 IN TXT "v=spf1 mx ip4:24.214.63.101
ip4:24.214.5.254 ip4:24.214.63.226 ip4:24.214.63.228 ip4:24.214.63.230
ip4:69.73.24.0/24 -all"

From what I can tell they are NOT a spammer domain.

I do think you need to slow down and examine your assumptions and your code
before you start throwing accusations around.

Scott K

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com

On Thu, 6 Sep 2007, Marc Chametzky wrote:

> Not only are the spammers using +all, but the more clever ones are using
> several ip4 mechanisms with very broad CIDR specifications so that when
> you put them all together, they end up being ip4:0.0.0.0/0.

+all is fine. The domain gets blacklisted by reputation after 20 spams,
and gets rejected in MAIL FROM from then on. Spammers that identify
themselves (even with a short lived domain) are not a big problem.
You could even call them "honest" spammers.

The forgeries are the problem. It is a lot more dangerous to reject mail
claiming to be from "bigcustomer.com" just because it looks spammy to your
software.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com

FYI:

knology.net is a CLEC/ISP/Cable company, much like RCN
and other next generation cable companies that started
selling bundled voice, cable TV, and Internet, long before Comcast
or SBC started doing it.


Regards,

Brian Campbell

>From: Scott Kitterman <scott@kitterman.com>
>Reply-To: spf-discuss@v2.listbox.com
>To: spf-discuss@v2.listbox.com
>Subject: Re: [spf-discuss] The spammers are using +all
>Date: Thu, 6 Sep 2007 13:11:08 -0400
>
>On Thursday 06 September 2007 12:50, Marc Chametzky wrote:
> > Not only are the spammers using +all, but the more clever ones are using
> > several ip4 mechanisms with very broad CIDR specifications so that when
> > you put them all together, they end up being ip4:0.0.0.0/0.
> >
> > While one can detect a Pass being returned by +all easily, doing so with
> > an aggregate of ip4's is far more difficult.
> >
>Which is the exact answer to why there isn't a special rule to disallow
>+all.
>
>BTW, not all (or even most - or even any of the onese I checked) of the
>domains you said were +all in your last message have +all.
>
>knology.net is one good example:
>
>knology.net. 33145 IN TXT "v=spf1 mx
>ip4:24.214.63.101
>ip4:24.214.5.254 ip4:24.214.63.226 ip4:24.214.63.228 ip4:24.214.63.230
>ip4:69.73.24.0/24 -all"
>
>From what I can tell they are NOT a spammer domain.
>
>I do think you need to slow down and examine your assumptions and your code
>before you start throwing accusations around.
>
>Scott K
>
>-------------------------------------------
>-----------------------------------------------------------------------
>Sender Policy Framework: http://www.openspf.org/
>Archives at http://archives.listbox.com/spf-discuss/current/
>To unsubscribe, change your address, or temporarily deactivate your
>subscription,
>please go to http://v2.listbox.com/member/?list_id=735
>Powered by Listbox: http://www.listbox.com

_________________________________________________________________
Test your celebrity IQ.  Play Red Carpet Reveal and earn great prizes!
http://club.live.com/red_carpet_reveal.aspx?icid=redcarpet_hotmailtextlink2

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com