Mailing List Archive: Changing a "soft fail" into a hard fail

Changing a "soft fail" into a hard fail

Mar 9, 2009, 5:08 PM

Post #1 of 4 (7644 views)

Lately we've been getting a run of spam purporting to come from Hotmail
or Yahoo senders, and unfortunately both of these domains use "~all" in
their SPF records. Not one of these spam messages are originating from
the genuine hosts.

Received-SPF: Softfail (domain owner discourages use of this host)
identity=helo; client-ip=199.243.243.50;
helo=google.com; envelope-from=109imfbz1de@yahoo.ca;
receiver=receiver@example.com
Received: from google.com (cyginternet.cygnuscorp.com
[199.243.243.50])by smtp3.domain.com (Postfix) with ESMTP id
64BCB208091for <receiver@example.com>; Wed, 25 Feb 2009 06:15:13 +1100
(EST)

Is there a way of making SPF "enforce" a real fail on a per-domain
basis? I'm using postfix-policyd-spf-python.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Re: Changing a "soft fail" into a hard fail [ In reply to ]

scott at kitterman

Mar 9, 2009, 6:16 PM

Post #2 of 4 (7426 views)

Permalink

On Tue, 10 Mar 2009 11:08:46 +1100 "MacShane, Tracy"
<Tracy.Macshane@AirservicesAustralia.com> wrote:
>
>
>Lately we've been getting a run of spam purporting to come from Hotmail
>or Yahoo senders, and unfortunately both of these domains use "~all" in
>their SPF records. Not one of these spam messages are originating from
>the genuine hosts.
>
>Received-SPF: Softfail (domain owner discourages use of this host)
>identity=helo; client-ip=199.243.243.50;
>helo=google.com; envelope-from=109imfbz1de@yahoo.ca;
>receiver=receiver@example.com
>Received: from google.com (cyginternet.cygnuscorp.com
>[199.243.243.50])by smtp3.domain.com (Postfix) with ESMTP id
>64BCB208091for <receiver@example.com>; Wed, 25 Feb 2009 06:15:13 +1100
>(EST)
>
>Is there a way of making SPF "enforce" a real fail on a per-domain
>basis? I'm using postfix-policyd-spf-python.
>

What version are you using?

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

RE: Changing a "soft fail" into a hard fail [ In reply to ]

Tracy.Macshane at AirservicesAustralia

Mar 9, 2009, 6:30 PM

Post #3 of 4 (7418 views)

Permalink

> -----Original Message-----
> From: Scott Kitterman [mailto:scott@kitterman.com]
> Sent: Tuesday, 10 March 2009 12:17 PM
> To: spf-help@v2.listbox.com
> Subject: Re: [spf-help] Changing a "soft fail" into a hard fail
>
> On Tue, 10 Mar 2009 11:08:46 +1100 "MacShane, Tracy"
> <Tracy.Macshane@AirservicesAustralia.com> wrote:
> >
> >Received-SPF: Softfail (domain owner discourages use of this host)
> >identity=helo; client-ip=199.243.243.50; helo=google.com;
> >envelope-from=109imfbz1de@yahoo.ca;
> >receiver=receiver@example.com
> >Received: from google.com (cyginternet.cygnuscorp.com
> >[199.243.243.50])by smtp3.domain.com (Postfix) with ESMTP id
> >64BCB208091for <receiver@example.com>; Wed, 25 Feb 2009
> 06:15:13 +1100
> >(EST)
> >
> >Is there a way of making SPF "enforce" a real fail on a per-domain
> >basis? I'm using postfix-policyd-spf-python.
> >
>
> What version are you using?
>
> Scott K
>
>

D'oh! It's 0.7, and I just found the option for
"Reject_Not_Pass_Domains" in the commented conf sample. So all I need to
do is add:

Reject_Not_Pass_Domains = gmail.com,google.com,hotmail.com

to policyd-spf.conf?

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

RE: Changing a "soft fail" into a hard fail [ In reply to ]

scott at kitterman

Mar 9, 2009, 7:20 PM

Post #4 of 4 (7439 views)

Permalink

On Tue, 10 Mar 2009 12:30:56 +1100 "MacShane, Tracy"
<Tracy.Macshane@AirservicesAustralia.com> wrote:
>
>> -----Original Message-----
>> From: Scott Kitterman [mailto:scott@kitterman.com]
>> Sent: Tuesday, 10 March 2009 12:17 PM
>> To: spf-help@v2.listbox.com
>> Subject: Re: [spf-help] Changing a "soft fail" into a hard fail
>>
>> On Tue, 10 Mar 2009 11:08:46 +1100 "MacShane, Tracy"
>> <Tracy.Macshane@AirservicesAustralia.com> wrote:
>> >
>> >Received-SPF: Softfail (domain owner discourages use of this host)
>> >identity=helo; client-ip=199.243.243.50; helo=google.com;
>> >envelope-from=109imfbz1de@yahoo.ca;
>> >receiver=receiver@example.com
>> >Received: from google.com (cyginternet.cygnuscorp.com
>> >[199.243.243.50])by smtp3.domain.com (Postfix) with ESMTP id
>> >64BCB208091for <receiver@example.com>; Wed, 25 Feb 2009
>> 06:15:13 +1100
>> >(EST)
>> >
>> >Is there a way of making SPF "enforce" a real fail on a per-domain
>> >basis? I'm using postfix-policyd-spf-python.
>> >
>>
>> What version are you using?
>>
>> Scott K
>>
>>
>
>D'oh! It's 0.7, and I just found the option for
>"Reject_Not_Pass_Domains" in the commented conf sample. So all I need to
>do is add:
>
>Reject_Not_Pass_Domains = gmail.com,google.com,hotmail.com
>
>to policyd-spf.conf?

Yes. That should do it.

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com