Hosting Provided By

RE: SPF-Compliant Spam

From: Bernd Petrovitsch <bernd(at)firmix.at>
Date: Mon Aug 27 2007 - 10:35:02 EDT

On Mon, 2007-08-27 at 09:47 -0400, Jason Bertoch wrote:
> On Monday, August 27, 2007 9:27 AM Magnus Holmgren wrote:
>
> > For spammers to be able to send SPF-authenticated spam using botnets,
> > they usually have to authorize ridiculously large address blocks, for
> > example with "+all" or "+a:0.0.0.0/2 +a:64.0.0.0/2 +a:128.0.0.0/2
> > +a:192.0.0.0/2", so it's possible to check for that.
>
> Has anyone verified that spammers are actually doing this yet, and how common it
> is? If so, it sounds like a good rule to add to the SPF protocol itself to save
> every implementation from having to check on their own.

Just give 0.1 point per SPF-allowed IP address (minus 128 or something). There
won't be many real mail providers/ISPs left which have more outgoing IP addresses. And
those get almost no points. Or you have to white-list them anyways (for whatever reason,
e.g. greylisting and other quirks on their mail setup).

BTW it makes no sense to forbid the (abuse like) above since you can't really
enforce it: On what condition do you want to say "it's illegal"? If prefix == n is forbidden, I take n+1 as prefix and duplicate the number of entries.

Bernd

-- 
Firmix Software GmbH                   
http://www.firmix.at/
mobil: +43 664 4416156                 fax: +43 1 7890849-55
          Embedded Linux Development and Services

Received on Mon Aug 27 10:35:57 2007

This message: [ Message body ]
Next message: Chris St. Pierre: "Re: Some thoughts on Baysian Setup..."
Previous message: OliverScott: "Re: False negative"
In reply to: Jason Bertoch: "RE: SPF-Compliant Spam"
Next in thread: Bernd Petrovitsch: "Re: SPF-Compliant Spam"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Thu Oct 25 2007 - 22:21:10 EDT