SPF fail.

Well, SPF sure is working great. Nicely done, guys. I'm not sure I've gotten a single piece of spam that SpamAssassin didn't flag as SPF_PASS.

Temperatures dropping, spam rising. Lately I'm getting dozens a day that SA doesn't catch. Tragedy.

Tags: ,

57 Responses:

  1. jered says:

    I just checked my spam folder and found a few SPF_NEUTRAL and SPF_FAIL, but there's a lot of SPF_PASS too... it's worth noting that a PASS doesn't gain you any points, though, so the problem is understood. SPF is going to be of limited value for joe-jobbing botnets anyway.

    I also just discard everything that scores higher than 8.0 so that my spam folder only gets a few dozen (instead of 2000) messages a day, so maybe some of the really spammy stuff has bad SPF data too.

    I set up the DKIM stuff. Man, that was a waste of time. At least my outgoing stuff gets signed which means, theoretically, I'm not getting screwed by the big email hosters (Yahoo, Gmail, AOL, etc.)

    I'm in favor of spammer bounties, but sadly there are legality issues.

  2. dballing says:

    SPF was not then, and never was, about identifying spam. It was about identifying that the "From" address was being used legitimately. In other words, it was designed to prevent forgeries of e-mail addresses. (So that you could tell if a message coming from FOO@jwz.org was coming from an IP address that jwz.org said was likely to send mail as them).

    Now it may have had, for a while, ancillary benefits, as so much spam at the time had forged From headers, but it was never intended as a silver bullet towards that problem. Spammers have just realized that $7 to register a domain is cheap compared to their costs, so they register a bunch of shit domains and use those on their From addresses, complete with proper SPF records, etc., etc.

    • jwz says:

      In other words, SPF was a complete waste of time and effort, which is what I said. Glad you agree.

      • dballing says:

        So the only reason in the universe to do anything e-mail related is if it has to do with fighting spam?

        SPF succeeds at what it set out to do. Domains which use SPF can tell other folks "hey if it's not coming from @LIST_OF_IPS, then it's not me." FOR THAT PURPOSE, it does exactly what it set out to do, and does a pretty decent job of it.

        So, no, don't agree with you at all.

        • jwz says:

          Pretty much, yeah. Except for spam, email transport has been a solved problem for decades.

          • dballing says:

            Wow. How can someone so smart be so misguided?

            Without SPF (and its ilk, there's several different competing methodologies here), SMTP "email transport" has *no* sender authentication mechanism built into it. Anyone can pretend to be anyone else and the recipient has no idea if the sender is actually who they say they are. Perhaps you've been living in a bubble, but have you never heard of "phishing"?


            Perhaps a suggestion might be to stick to the topics you know well... browsers and screensavers, because clearly you haven't spent much time dealing with problems in OTHER areas of the net.

            • jwz says:

              Blah blah blah, we invented S/MIME to solve that, fourteen years ago. Nobody wanted it. Nobody cared.

              • barrkel says:

                S/MIME requires a whole CA infrastructure. That kind of security setup is never going to work outside of a police state.

            • ultranurd says:

              It's entirely possible that I first encountered this in a JWZ post a while ago, but I am reminded of the "Your solution to spam won't work because..." checklist, which I find to be a useful reminder in a lot of "why doesn't tech X just work in this obvious-to-me way?" discussions.

            • lionsphil says:

              This is what cryptographic signatures are for, not questionable evil bits.

              • jered says:

                Hunh? DKIM isn't solving the problem any better. What problem are we trying to solve again?

                • lionsphil says:

                  "Anyone can pretend to be anyone else and the recipient has no idea if the sender is actually who they say they are."

                  Digital signatures solved this problem long ago. OpenPGP has existed for about a decade.

                  No, this has nothing to do with spam any more, but apparently dballing thinks that SPF is some kind of authentication solution.

                  Best I can determine from the Wikipedia article (which is written badly enough to be an academic paper), SPF is basically an evil bit. Woo.

        • jmtd says:

          Except SPF failed there, too, since it stuck its head in the sand and pretended that people never forwarded mail, ever.

          I recommend reading http://david.woodhou.se/why-not-spf.html

          • shandrew says:

            That's exactly the reason why SPF is annoying. It's also more crap busy work for mail admins.

            Another reason why SPF is mostly useless is that many email clients don't even show email addresses anymore! Thanks gmail, for making that bizarre choice.

      • radparker says:

        Does SPF help to identify annoying comments from Derek Balling?

    • mark242 says:

      SPF is yet another one of those bolted-on SMTP hacks that, in order to be/have been effective, would have to be implemented by everyone, all at once.

      In other words-- it'll never happen.

      Until the installer for Postfix, Sendmail, qmail, Exchange, et al, require the admin to generate a verified cert and by default do not accept unsigned messages, joe-jobbing is going to be a problem.

      In other words-- it'll continue to be a problem forever.

      To date, Spamhaus Zen is still the most effective way I've seen at blocking the majority of spam with a near-zero rate of false positives.

      • bifrosty2k says:

        Spamhaus is the easiest way to lose legit mail, avoid++.

        • babysimon says:

          I've been using Spamhaus for personal and work email for a couple of years now, and I've not noticed anything going missing. I would expect if I was blocking legitimate mail that the sender would get a bounce from their MTA and sooner or later I'd hear about it. At least once.

          Can you explain a bit more about how I could be blocking real email? If there's something I'm missing here I'd like to know about it.

          • bifrosty2k says:

            Its a pretty long saga but basically the problem is that Spamhaus is accountable to nobody and has regularly blocked innocent parties for years.
            I'd say the most egregious thing I've personally experienced was when they blocked an ISP's entire /21 because of one problem user, who turned out to not be the culprit anyways.

            Stuff like that is basically unacceptable, so when anyone asks me about this topic I tend to speakup. If you really want to use any Spamhaus list, set it in SA to only be able to add one point, otherwise you risk losing real mail.
            This unfortunately doesn't just apply to Spamhaus, there's at least 4-5 other lists that are full of antispam zealots who are too rabid to see the big picture. Yes, spam is bloody freaking annoying, but blocking hundreds or even thousands of mail servers in one broad stroke is insane.

            • discogravy says:

              I've had this happen to a network I was admin over -- a /24 (out of many; the whole network was a /16) was blocked because of a single email, emails to spamhaus went unanswered for a few days(!). In the end I wound up piping mail through another IP outside of the /24 that was blocked; that's not something that could easily be done by most admins however.

              • jmtd says:

                Well, I guess the system is working then - as frustrating as it is for you, you still managed to work around it, whereas were you actually a spammer you'd have to write that netblock off.

                • luserspaz says:

                  The terrorists have already won.

                • discogravy says:

                  That is not a working system; I wound up writing that netblock off, just like a spammer. A smaller network (read: 95% of all admins/businesses) would have been completely screwed with no recourse but to hope that eventually spamhaus got around to checking their mail. It was pure luck that I had other /24 networks available to me.

            • rane500 says:

              I can second this heartily. I worked for a web hosting company for a while and had to go to bat for legitimate clients who - sometimes for NO VALID REASON AT ALL - ended up on Spamhaus or one of a half-dozen others. In some cases it's not even a matter of anti-spam zealots, it's a matter of the list maintainers never answering requests, failing to follow their own paperwork policy for reversing the blacklist, or literally saying "I don't feel like it today, maybe later."

              Now I work for a major third-party commercial e-mail service and I watch our Deliverability department go through the same hoops daily and am so very thankful I don't have to do it anymore.

              As to the original topic - SPF is completely useless until people actually start blocking on it cold. Even then it'll only cover a portion of what gets through, since it's only a check against legitimate domains and has nothing to do with some third-party spammer blasting from some at least quasi-legitimate provider.

              On a final note, I'm sick of SA. SICK OF IT. We use the rule sets as a tool for clients to check out their own messages before sending, and at least half the time the scores are either wrong or beyond arbitrary and change on every recalculation even on identical messages.

      • jered says:

        SPF has no certificates and does not involve signing. You're thinking about DomainKeys/DKIM. SPF is a way for the receiving MTA to verify (via information in a DNS record) that the sending MTA is allowed to send for a given domain.

  3. ghewgill says:

    Spamassassin's performance is getting worse (well, spammers are getting better) and there hasn't even been a new minor release in 18 months. SPF never was directly about spam and yet hasn't succeeded in doing whatever it claimed to do.

    My first line of defense is to use http://www.spamhaus.org/zen/ which is currently rejecting 94% of incoming connections. I've never noticed loss of legitimate email.

    What's a geek to do? So many people seem to just use Gmail and ignore the spam problem.

    • jered says:

      To be fair, the reason the SA hasn't been updated in 18 months is because they put in place a mechanism where the rules updates get updated automatically. (Of course, looking to find the latest update it appears that updates.spamassassin.org doesn't even resolve anymore... WTF?)

      • jered says:

        Oh, it's a TXT record that... it's complicated. Anyway, the latest rule update was from July 20 of this year.

        • discogravy says:

          I don't use SA (well, one system I admin, but most of my nets go under enterprise-level stuff for PHB reasons), but no updates since July seems a long time.

    • lionsphil says:

      GMail appears to be more aggressive at filtering spam; not "better". I've got an address that some Linux tard decided to feed to spammers because I didn't appease his Internet ego, so got pretty damn busy, and 99% of the heavy lifting is being done by manual sieve rules(!) and MailScanner at my University. GMail then throws away the odd straggler and legitimate message on top.

      They may have some benefits from being able to use spam classification feedback from their whole userbase at once, admittedly. I wonder if anyone's been auto-creating GMail accounts and spamming themselves, marking them as false positives, just to try to bias the classifier?

      • evan says:

        Gmail's spam filtering falls down when you forward other addresses (like it seems you're using your uni address) to it, because (as I understand it as an outsider) many of the spam-related protections involve connection-time filtering.

        • lionsphil says:

          Mostly spam doesn't get through, so I have a saturation problem with testing how much Google adds on top anyway. But of course if MailScanner/SpamAssassin are doing that well, there's not much improvement to have.

          It's the odd false positive that irks, and makes me conclude that they're mostly simply more agressive.

  4. theducks says:

    Well, unsurprisingly it's covered in http://craphound.com/spamsolutions.txt - "It will stop spam for two weeks and then we'll be stuck with it"

    That's a great page I use to defuse enthusiasm for new anti-spam technologies.

    • lionsphil says:

      "For example, we use optical character recognition (OCR) developed by the Google Book Search team to protect Gmail users from image spam."

      I am now imagining a Viagra advertisement in the form of a captcha.

      • injector says:

        The captcha Viagra ads are so 2007. Back then we even had animated GIFs generated by mutation engines which use the non-replace frame flag and transparency to build the full add over several frames so OCRing any one frame didn't reveal any spammy text.

        Haven't seen those for a while; wonder why it stopped.

        • lionsphil says:

          Shiny, in a perverse way. Come to think of it, I've seen one before now where the text was done as a HTML table. Yes, each cell was a single pixel.

          • duskwuff says:

            And I've seen some crazy HTML tricks like:

              u       i   g   a

            B y V a r

            (Check the source to see how this obfuscates the message. In a real spam, of course, the borders would be turned off.)

  5. spc476 says:

    I've had good success by using a greylisting approach to blocking spam. It easily blocks over 95% and it's the only anti-spam measure I use on my email server, and what spam does end up has usually been sent from a real email server and almost always to my domain registrar specific address. The only downside is that email from a new legitimate source is delayed (implementation I use defaults to 25 minutes---this is why we no longer use it at work because some of our clients consider email to be the same as instant messaging and as much as I would like, I can't use a clue-by-four on them).

    • dhfhforg says:

      Greylisting fails; it's an "If you can't beat them, join them" approach to the problem.

      1. Spammer uses random email address A to spam you.

      2. Greylister software sends "are you human" message to A.

      3. You have just spammed A.

      4. A reports you as a source of spam.

      5. You end up blackholed.

      • tkil says:

        I think that you might be talking about a different technique.

        Greylisting, so far as I understand it, is sending back a "try again later" to the originating MTA. Properly-written MTAs will, indeed, wait 30min or whatever, and then send it again. When the greylisting host sees the second try, it assumes it's a real MTA on the other end, and adds it to the whitelist.

        (This is the main problem with greylisting; as soon as enough people start doing it, the spammers will update their robots to emulate a "proper MTA", and greylisting will no longer be useful. It's currently very effective, though.)

        I don't know if there's a popular name for the technique you're describing; I agree that it's not horribly effective, and could even be insulting in certain contexts. (On the other hand, I could see high-profile people needing it, just due to sheer volume.)

        • jmtd says:

          It's called "challenge-response", and it sucks.

        • lionsphil says:

          For once, it'd be nice to see marketing scumbag workarounds actually involve writing better code. A pristine world of RFC-compliant mail software! Oh, glorious day!

          (Maybe one day the aggressively pedantic mail filters of the future will mean that GNU Mailman won't be able to autoconvert my RFC2045 UTF-8 MIME quoted-printable messages to unknown 8bit format=fucked when it feels like it [i.e., always], thus royally breaking them.)

          As opposed to, say, the way that the prevalence of browser popup blockers now mean that webpages get covered in DHTML fake popups instead, which never quite work right, can't be manipulated by my window manager, and are basically impossible to block without breaking "2.0" things.

    • kap_ says:

      I've found even using something as small as a ~30 second delay stops almost all spam. Something that tiny might make your work implementation possible again.

      • lovingboth says:


        Given that it's been around for several years now, I am glad that enough people don't do it for the spammers not to bother to update the bots.

      • jmtd says:

        Just to clarify, right, the first connection you reject with a TEMPFAIL, then you allow retries to succeed after 30 seconds. But nowhere can you tell the connecting server what the retry period should be, so, someone like talk talk who retry in 24 hours will not connect back for a day and you'll have a day's lag on mail from that triple?

        • hawke666 says:

          The first time you receive mail from that triple, yes. After that, it's whitelisted and there's no delay. This is still the biggest problem with greylisting.

  6. mackys says:

    This is what I have in my postfix main.cf:

    smtpd_recipient_restrictions =
    reject_rhsbl_client blackhole.securitysage.com,
    reject_rhsbl_sender blackhole.securitysage.com,
    reject_rbl_client blackholes.easynet.nl,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client proxies.blackholes.wirehub.net,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client dnsbl.njabl.org,
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client dnsbl.sorbs.net,
    reject_rbl_client black.uribl.com,

    This isn't perfect, I still get about two spams a week.

    I was up at about 250+ spams a day about this time last month. So the above config has worked fairly well for me. (Though, I don't throw my email address around a lot; in particular you're unlikely to find it in any HTML document.)

    The URI BL seems to work particularly well. It's a list of URLs that have appeared in spam. There's definite DoS potential to this idea, but so far the spammers don't seem to be using it that way.

    And yeah, I haven't noticed a lot of improvement when I enable SPF. So I don't bother with it any more...

    So that's my $0.02.

    • duskwuff says:

      The Day-Old-Bread URIBL is also a brilliant idea, and everybody should use it. :) It lists all newly registered domain names, under the (mostly correct) assumption that it's highly unusual for a newly registered domain name to show up in email.

  7. As dballing said, SPF has never been about blocking spam. Unfortunately it has also never been any good at what it is supposed to do. Yes, it is fail.

    I wrote this in 2005: http://acme.com/mail_filtering/
    Before I did this work I had to completely re-do my spam-blocking technology every year just to keep up. But the layered filtering I outline in this paper has held up for nearly five years now, under a spam load exceeding a million messages per day. It really really works.

  8. gadlen says:

    Cloudmark works well. It's mostly a collaborative filter. The only false positives I ever get is stuff like catalog mailers where grandma hasn't figured out how to unsubscribe instead of pushing the "Spam" button.

    It costs me $25/year. It's based on Vipul's Razor.

    Now everyone start hatin' 'cause I didn't roll my own spam filter.

  9. xthread says:

    SPF is one of the more annoying bits of misguided technology attempting to block spam that people have rolled out