Blocking Spam with SPF

UPDATE: This was written in 2010, shortly before I discovered problems with SPF adoption, which caused me to create MTX which was then not adopted. Currently I recommend my combined whitelist and blacklist.

Premises:

  1. If every domain has an SPF (DNS TXT) record, it will be easy to block all spam.
  2. Because it would be easy to block all spam, it is appropriate to expect all domains to have an SPF record.
  3. It is easy to send errors to users of domains without SPF configured, without sending backscatter to forged addresses.

SPF records are an easy way for the owner of a domain name to list the servers that legitimately send email for their domain. A whitelist. Using their own DNS servers (a single TXT record for each domain and sub-domain).

Block all email without a matching SPF record, and blacklist all spammer domains using SPF, and you block all spam.
I expect blacklisting SPF domains to be much easier than IPs.

It is easy to reject email lacking an SPF match during delivery, so un-forged From: addresses get an error message, and you don't send backscatter to forged addresses.

While the percentage of domains using SPF is still improving, it might be better to use an additional rule in a spam filter (like SpamAssassin) to only slightly increase non-spams which are classified as spam. This is a little more difficult to do with error messages to legitimate senders, but still easy. As of February 2010, 28.7% of my non-spam does not have an SPF record.

SpamAssassin rule for not matching an SPF record

meta      SPF_NOT_PASS       !(SPF_PASS || NO_RELAYS)
score     SPF_NOT_PASS       4.506 # flag 10% of non-spam that hits this rule as spam.
describe  SPF_NOT_PASS       Not fully validated by SPF.

/etc/spamassassin/local.cf is a good place to put this.

Remember you're blocking all spammer domains with SPF using a domain blacklist.

Spams without SPF blockedNon-spams without SPF blockedSpamAssassin score for SPF_NOT_PASS
100%28%100
99.92%10%4.506
99.52%1%2.356
99.15%0.1%0.285

These numbers are estimated from the 97.84% spam accuracy of SpamAssassin and the 73.2% spam accuracy I'm getting due to significantly pre-filtering spam (RBL, greylisting, etc.).

Blacklist spammer domains using SPF

For postfix, in main.cf, add "check_sender_access hash:/etc/postfix/sender_access" to "smtpd_recipient_restrictions =". The format of /etc/postfix/sender_access is one domain per line, "example.com REJECT Domain blacklisted for sending spam."
It is the domain from the SMTP MAIL FROM command that you need to blacklist, often stored in the Return-Path: header. Not the From: address.

Domain name blacklists (bottom of the page) from Jeff Makey
Domain blacklists from spamlinks.net

Postfix syntax:
reject_rhsbl_sender hostkarma.junkemailfilter.com=127.0.0.2
reject_rhsbl_sender block.rhs.mailpolice.com reject_rhsbl_client block.rhs.mailpolice.com
I'm not using these domain blacklists yet because it's too easy to maintain my own list.

Filter spam during delivery

To give error messages only to non-forged sending addresses.

With the Postfix mail server: Spampd as a Before-Queue Content Filter
"I found that with this setup on my sever, SpamAssassin couldn't determine the envelope sender as needed for certain rules (e.g. DNS_FROM_*, NO_DNS_FOR_FROM, SPF_*). I fixed this by passing the --sef (--seh could work as well; but see documentation first) switch to spampd and then adding envelope_sender_header X-Envelope-From to my SpamAssassin config. - JoshuaPettett"



Postfix main.cf:
message_size_limit = 10485760
spampd:
--maxsize=10240
This limits email size in both to 10 megabytes. Set it to whatever you like, but if your MTA accepts larger emails than spampd, spampd will skip spam filtering on them.

search spamassassin -D for "not available": aptitude install razor pyzor

Asking people to create SPF records

Please create this DNS TXT record for [example.com]:

[insert SPF TXT record]

It won't cause any SPF verification failures because the "?all" indicates the list is incomplete, but it will cause these listed servers to get a "pass" instead of a "none" from SPF verification. Which is good for spam filters that consider email that doesn't get a "pass" more spammy, like mine.

http://www.openspf.org/

Some domains using SPF

walmart.com exxonmobil.com chevron.com verizon.com homedepot.com cvs.com boeing.com costco.com target.com dell.com wallgreens.com sprint.com bestbuy.com disney.com americanexpress.com macys.com 3m.com google.com gmail.com aol.com hotmail.com amazon.com ebay.com apple.com microsoft.com schwab.com hulu.com gentoo.org sprint.com zappos.com facebook.com youtube.com blogger.com msn.com twitter.com myspace.com craigslist.org bbc.co.uk photobucket.com about.com
Return to main spam page.
Return to Darxus' home page.