spf?

Discussion of items in the "What's New" log.

spf?

Postby josh » Tue Sep 30, 2008 9:14 am

No news for a while -- and no news is generally good news here :) -- I'm considering implementing SPF on the spamgourmet domains, in order to cut back on the abuses of spammers who send a bunch of email using one of our addresses -- I'm still not sure why they're doing it, but SPF would help tag their messages as fake. The downside is that if you're a spamgourmet user who has been sending messages "from" your spamgourmet addresses without using reply address masking, you'll have a hard time continuing to do that. I think pretty much everyone's using reply address masking these days anyway, so it shouldn't be a big problem. I'm going to start with some of the less frequently used domains to test, and if all's good, I'll sweep the lot of them. After that, I'll publish instructions for other owners of spamgourmet domains to follow suit if they like.
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Postby lwc » Tue Sep 30, 2008 10:50 am

Actually, I've stopped using reply masking since Spamgourmet started having problems. I figured if my incoming messages are delayed, I might as well not delay my outgoing messages.

SPF sounds problematic for me if it means my outgoing messages would have to go through the same delay, not to mention get randomly lost.
lwc
 
Posts: 406
Joined: Sat Aug 28, 2004 9:09 am

Postby miniscus » Wed Oct 01, 2008 2:32 am

I'm not the guy with much knowledge on this stuff, but I must agree the biggest problem is delays. Thinking further, delays make SG addresses more of a temporary, less reliable matter. Thinking even further, getting spam on such a temporary address, well, simply makes you shut it down, eh?
So where is the need of extras (don't know what spf is) :-)

I have no problem in shutting down addresses. I do not use them long term, and never thought they were meant for that. Especially now, with the delays, and with quite some people here having lost really important mails.

Hmmm. I guess I am not that Spam phobic any more. I would never ever use a Spamgourmet address to correspond about a possible employment.
miniscus
 
Posts: 48
Joined: Thu Aug 28, 2003 10:05 pm
Location: Wiesbaden, Germany

Postby gd » Wed Oct 01, 2008 11:31 am

Definition of SPF: http://www.webopedia.com/TERM/S/SPF.html

Does it mean that I won't be able to send e-mails from e.g. a webmail service with a SG address as From-address?
Well, I consider that as a disaster!! :( :( :(
gd
 
Posts: 1
Joined: Wed Oct 01, 2008 7:25 am

Postby josh » Mon Oct 06, 2008 9:18 pm

Maybe you guys haven't been hit yet with a "joe job" type operation where a spammer takes your spamgourmet username, and blasts out registrations or spam or whatever with a whole bunch of new addresses? It sucks, because you get the bouncebacks etc. from it, and spamgourmet gets a whole bunch of junk addresses. I believe this sort of activity is causing a big load on the server (and therefore causing much of the delay, when it happens).

Why are they doing it? All I can think of is that because we don't have SPF enabled, many mail servers use the callback verification approach, and our server will not return an error on just about anything (which is the way it has to be, otherwise every spamgourmet address would have to be configured in the mail server before use) -- I believe that SPF will cause such blasts to fast-fail, and that they'll stop.

Will it affect sending email from another host? Not directly, of course, but it will result in a SPF fail. That wasn't enough to stop my tests to Gmail from getting delivered.
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Postby miniscus » Mon Oct 06, 2008 9:41 pm

Ah, so I got it now. And no, I have not experienced bouncebacks etc. from new addresses yet.

In this case, I find it very appealing if you can do something about it! Reply address masking is surely mostly used.

Great to hear of some ideas to fight this, and the delays. Thanks!
miniscus
 
Posts: 48
Joined: Thu Aug 28, 2003 10:05 pm
Location: Wiesbaden, Germany

Postby lwc » Tue Oct 07, 2008 7:59 am

If you say Gmail, one of the biggest mail providers, doesn't perform a SPF test, doesn't it ruin your all case?
lwc
 
Posts: 406
Joined: Sat Aug 28, 2004 9:09 am

Postby josh » Tue Oct 07, 2008 2:15 pm

Gmail does perform a SPF test, it just doesn't completely determine what to do with the message based on the result of the test. The record of the failure was in the headers of the message which was delivered to my inbox in the test. I guess gmail thought that, all things considered, including the SPF failure, the message wasn't spammy enough to go to the spam folder. My belief is that most big ISPs are using SPF as part of a ratings methodology like that.

Anyway, yesterday I completed the implementation and this morning the server load is about 1/3 of what it usually is -- coincidence? (it might be, actually, but it's nice :) )
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Postby lwc » Tue Oct 07, 2008 3:48 pm

Wait a minute, didn't you say "I'm going to start with some of the less frequently used domains to test"? Am I not supposed to fake my sender's address anymore? Have I been risking losing outgoing messages ever since yesterday?
lwc
 
Posts: 406
Joined: Sat Aug 28, 2004 9:09 am

Re: spf?

Postby gourmet » Thu Oct 09, 2008 7:36 am

Just to say it shortly. I don't like SPF at all. It's not quite usable with many different ways of using email. It'll work if everyone uses webmail (dedicated with some domain) or so. But it doesnt' work well with many other ways of using email.

I'll send about 50% of my emails with "forged" email address. And that's not a problem, if SPF is not being used.
gourmet
 
Posts: 124
Joined: Thu Mar 27, 2008 4:46 pm

Postby info » Fri Oct 10, 2008 2:39 am

I did start with less frequently used domains to test -- for about a week :)

Anyway, you can still fake the sender if you want -- it may result in a SPF fail, but that doesn't necessarily mean the message won't be delivered, and if it doesn't, most systems are sending bounces.
info
Site Admin
 
Posts: 100
Joined: Thu Aug 28, 2003 12:54 pm

Postby gourmet » Fri Oct 10, 2008 3:10 pm

info wrote:I did start with less frequently used domains to test -- for about a week :)

Anyway, you can still fake the sender if you want -- it may result in a SPF fail, but that doesn't necessarily mean the message won't be delivered, and if it doesn't, most systems are sending bounces.


I'm very interested to hear about results later.

"Spamgourmet never bounces..." ;)
gourmet
 
Posts: 124
Joined: Thu Mar 27, 2008 4:46 pm

Ahh now I understand

Postby yizwos » Fri Oct 10, 2008 9:50 pm

I was wondering why I got an SPF bounce for the first time a couple of days ago. Do I understand right that if we get our own domain set up which is redirected to spamgourmet then we can control our own SPF records and continue to "forge" addresses?
I'm veggie, so please eat a tin of spam for me.
yizwos
 
Posts: 5
Joined: Sat Jan 05, 2008 9:45 pm


Return to What's New

Who is online

Users browsing this forum: No registered users and 1 guest