lawless Posted June 29, 2004 Share Posted June 29, 2004 I just deployed SPF on my MTA. It was quite a lot of effort, but it's blocking *all* spam. After about six months or so spammers will start publishing SPF records and RHSBLs will become necessary (I may go with a RHSWL myself). For the moment however, the results are spectacular! My experience and the customizations I made can be found at http://archives.listbox.com/spf-discuss/current for those who might be interested. Link to comment Share on other sites More sharing options...
jseymour Posted June 29, 2004 Share Posted June 29, 2004 I just deployed SPF on my MTA. It was quite a lot of effort, but it's blocking *all* spam. This, by itself, is not very meaningful. Does it also not block legitimate mail? Don't get me wrong. I like SPF (though I haven't implemented it, yet). But aren't there a *lot* of people who haven't published SPF records? Link to comment Share on other sites More sharing options...
lawless Posted June 30, 2004 Author Share Posted June 30, 2004 Turns out a nifty default rule can be established: "v=spf1 a/24 mx/24 ptr -all". This ACL works for about 80% of legitimate senders. I've configured SPF to apply this rule whenver an explicit SPF rule is absent. I've hand-coded 'fallback' records for the few critical correspondents that don't fit the above. I've even modified the 'Mail::SPF::Query' Perl module to convert "?all" "~all" and "+all" into "-all". This was because I got spammed by someone spoofing an Earthlink address and their record specifies "?all" at the end. The most complex fallback and override records I've had to write were so SpamCop staff can send me e-mail in response to my occasional direct query. Anyone else sending me mail with an "[at]spamcop.net" envelope sender will get bounced though (incuding myself). JT should consider establishing a DNS server that validates SpamCop senders by their account name (via SPF's "exists" construct) rather than using the "v=spf1 ?all" that he has published. I've also created (modified someone else's actually) an 'access.db' whitelist capability that lets me whitelist a handful of people I know who send me mail from SPF-broken places like sbcglobal.com (hosted by yahoo.com). It's been extremely satisfying sitting here for the last two days watching spam getting constantly bounced in my 'sendmail' log window. David Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.