SA Bugzilla – Bug 2634
rule: based on SPF "best guess"
Last modified: 2005-01-19 05:33:37 UTC
This is an interesting technique. IMO, it may be better to do it locally inside SpamAssassin as its own rule, since I reckon *real* SPF records will probably have higher accuracy, and therefore higher S/O. The heuristic is: if the client IP is in the same class C as the domain's A record, pass. if the client IP is in the same class C as the domain's MX servers, pass. if the client IP's PTR record matches the domain name, pass. One to try out for 2.70. Date: Sun, 26 Oct 2003 20:02:52 -0500 From: Meng Weng Wong <mengwong@dumbo.pobox.com> Subject: Mail::SPF::Query has a best_guess method ... So I've got an even bigger plus for you: Mail::SPF::Query now has a "best_guess" method, which basically does this: my $BEST_GUESS_MECHS = "a/24 mx/24 ptr ptrhs:wl.trusted-forwarder.org"; So: if the client IP is in the same class C as the domain's A record, pass. if the client IP is in the same class C as the domain's MX servers, pass. if the client IP's PTR record matches the domain name, pass. if the client IP's PTR domain name is found in wl.trusted-forwarder.org, pass . R. Scott Perry of Declude JunkMail did some testing on his spambase: Here are the results. This includes all spam to our spamtraps received in an entire one week period ending this morning around 8AM. Total spams: 33,809 Total failing "a mx ptr": 31,270 [92.5%] Total failing "ptr": 32,345 [95.7%] Total failing "mx": 31,556 [93.3%] Total failing "a": 31,420 [92.9%] So if all domains had an SPF entry of "a mx ptr", 92.5% of the spam we received over the past week would have been caught. The results for the ham were quite interesting: Total ham: 1860 Total failing "a mx ptr": 504 [27.1%] This looks pretty bad -- 27.1% of ham E-mail failing the "a mx ptr" test. However, after I looked at the ham that failed the test, I found that most of them have an IP in the same Class C range as an IP in the MX/A records. Often, mailservers are set up to use many IPs (usually on the same Class C range), and they may "pick" an IP that isn't in the MX record, even though it is the same mailserver. Or the mail comes out through a gateway server, typically also in the same Class C range. Those numbers go down to 142 E-mails (7.6%) failing "a mx ptr" simply by changing the MX and A tests to pass if the IP is in the same Class C range, rather than looking for an exact match. The numbers for spam failing "a mx ptr" only go down from 92.5% to 87.7% with this change.
grabbing! ;)
SPF is now implemented by AOL (first mega-isp to do so): http://slashdot.org/article.pl?sid=04/01/09/0435234&mode=thread&tid=111&tid=120&tid=126&tid=187 Would be nice if SA uses this, as it's a great way to fight spam. http://spf.pobox.com/
Robert, SA 2.70 contains SPF support already.
Justin, thanks. Wasn't aware. I've been focusing on 2.6x, and SAProxy lately. I'm a bit out of the loop as far as 2.70. Trying to implement SPF myself later today on my domains.
taking
ok, so is this ticket done since there are SPF rules in 3.0?
nah, it's not -- it didn't give good results *at all* in my earlier testing (see rule T_ALL_RELAYS_NEAR_MXES). Punting to 3.1.0 for further investigation, if any.
removing from blocker
more accuracy and performance bugs going to 3.1.0 milestone
What about using "best guess" as a whitelisting technique for ham? See which domains always work with a reasonable best guess and then we can do SPF best-guess-based whitelisting of those domains. I have heard someone get good results with a best guess record of: "v=spf1 ptr ?all" We could also test passes using other best guess record types.
it might work on a domain-by-domain basis -- but AFAICS your suggested string is basically checking the reverse DNS, right? we already have (or had) a rule for that, and it doesn't work great.