Jump to content

SPF Rocks!


Recommended Posts

I just deployed SPF on my MTA. It was quite a lot of

effort, but it's blocking *all* spam.

After about six months or so spammers will start

publishing SPF records and RHSBLs will become necessary

(I may go with a RHSWL myself). For the moment however,

the results are spectacular!

My experience and the customizations I made can be found

at http://archives.listbox.com/spf-discuss/current for

those who might be interested.

Link to comment
Share on other sites

I just deployed SPF on my MTA.  It was quite a lot of

effort, but it's blocking *all* spam.

This, by itself, is not very meaningful. Does it also not block legitimate mail?

Don't get me wrong. I like SPF (though I haven't implemented it, yet). But aren't there a *lot* of people who haven't published SPF records?

Link to comment
Share on other sites

Turns out a nifty default rule can be established:

"v=spf1 a/24 mx/24 ptr -all".

This ACL works for about 80% of legitimate senders. I've

configured SPF to apply this rule whenver an explicit SPF rule

is absent. I've hand-coded 'fallback' records for the few

critical correspondents that don't fit the above. I've even

modified the 'Mail::SPF::Query' Perl module to convert "?all"

"~all" and "+all" into "-all". This was because I got spammed

by someone spoofing an Earthlink address and their record

specifies "?all" at the end.

The most complex fallback and override records I've had to write

were so SpamCop staff can send me e-mail in response to my

occasional direct query. Anyone else sending me mail with an

"[at]spamcop.net" envelope sender will get bounced though (incuding

myself). JT should consider establishing a DNS server that

validates SpamCop senders by their account name (via SPF's

"exists" construct) rather than using the "v=spf1 ?all" that he

has published.

I've also created (modified someone else's actually) an

'access.db' whitelist capability that lets me whitelist

a handful of people I know who send me mail from SPF-broken

places like sbcglobal.com (hosted by yahoo.com).

It's been extremely satisfying sitting here for the last

two days watching spam getting constantly bounced in my

'sendmail' log window.


Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...