[RFCI-Discuss] RFC4408 aka SPF
csmailreport
csmailreport at googlemail.com
Wed Jan 24 08:42:17 EST 2007
This isn't a "bogus SPF record" -- in fact, it's a totally legit one (RFC
compliant and all).
Nobody ever stated that email authentication would reduce spam --
in fact, it's quite the opposite: you can expect spammers to be the first to
deploy SPF records and authenticate properly.
So if you think "this email validates via SPF/DKIM/Sender-ID/whatever so it
isn't spam",
you're making a fundamental mistake.
Reducing spam is a matter of email authentication + domain reputation.
SPF is an authentication enabler (like DKIM), which allows building reliable
reputation systems,
which in turn will allow you to decide how likely one sender's domain is
spamming.
Check how Google is making use of authentication to calculate reputation in
their whitepaper at
http://www.ceas.cc/2006/19.pdf
for instance.
Authentication only prevents spoofing, thus it enables correct calculation
of a domain reputation,
and in the case of the domains you're mentioning, my guess is that their
spam reputation is very bad.
What you're looking for is a reputation system, not another RFCI blacklist
(esp. since these SPF records are totally RFC compliant)
Cheers,
-- Nicolas
On 1/24/07, Alexey Lobanov <aal at lobanov.sp.ru> wrote:
>
> Hello all.
>
> It looks like that spammers have started to abuse RFC4408 with bogus SPF
> records:
>
> ecooldeals.com text "v=spf1 a mx +all"
> 3ivn.com text "v=spf1 mx ptr ip4:195.144.11.67 +all"
> alpha-direct.com text "v=spf1 +all"
> bethellutheranchurch.com text "v=spf1 a mx +all"
> kind-heart.com text "v=spf1 all"
>
> All the examples are from real spam, of course.
>
> Yes, "+all" is provided as an example in the RFC text. But the nature of
> this "v=spf1 +all" seems to be exactly same as the nature of "IN MX
> localhost". They are trying to fool us, to legitimize mail from every
> trojanned home machine.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.megacity.org/pipermail/rfci-discuss/attachments/20070124/ad69d19e/attachment.htm
More information about the RFCI-Discuss
mailing list