Just to be clear : SPF is not and never will be a 'spam filter'. It is only helpful in defining which machines are allowed to send mail for a given domain. It's anti-forgery, not anti-spam per se. Murray On Tue, 2004-10-19 at 16:07, Chris Hodgetts wrote:

SPF = Sender Policy Framework..

http://spf.pobox.com/

It's a new sort of spam filter, that is better than the Microsoft offering.

On Tue, 2004-10-19 at 16:03, Craig Whitmore wrote:

...

Hi folks.

We have noticed a number of domains in NZ have entered in their NS's domain.co.nz IN TXT "v=spf1 mx -all"

This means domain.co.nz will never attempt to send emails at all. (but valid emails are trying to be sent). I've talked to a couple of domain holders who had this and they've fixed them but most said it was done ages ago and they where playing and never expected it to catch on (but it has a lot looking at the number)

We (Orcon) have started to use SPF (for testing inbound email) and found it helps with identifying spam. _ALOT_ of people have published valid SPF records.

Thanks Craig Whitmore Orcon Internet

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Chris Hodgetts writes:

SPF = Sender Policy Framework..

http://spf.pobox.com/

It's a new sort of spam filter, that is better than the Microsoft offering.

SPF is merely designed to tell you whether an email has come from an authorised server for that domain. If an SPF check fails, it's probably spam. (Or a roaming user and someone hasn't got their config right.) If email passes an SPF check, it doesn't mean it's not spam - spammers can buy their own domains for a couple of bucks and publish their own SPF records. cheers, Jamie -- James Riden / j.riden(a)massey.ac.nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/

-----Original Message----- From: James Riden [mailto:j.riden(a)massey.ac.nz]

SPF is merely designed to tell you whether an email has come from an authorised server for that domain. If an SPF check fails, it's probably spam. (Or a roaming user and someone hasn't got their config right.)

I've wanted to setup SPF in the past but have always wondered what happens when you have a roaming user sending via paradise for example. Would you need to add all the outbound mx servers; for example paradise receives mail to smtp.paradise then it could come from one of many hosts that do anti virus and spam protection. Would one need to know every internet facing ip for all ISP's mailservers? Barry

On Tue, 2004-10-19 at 16:25 +1300, Craig Whitmore wrote:

...

Working through http://spf.pobox.com/wizard.html seems to suggest that "v=spf1 mx -all" means that only the MXs for the hypothetical 'domain.co.nz' are allowed to send email - otherwise it would be "v=spf1 -all" wouldn't it?

Yes.. your right :-) (I was wrong) "v=spf1 -all" = I will not send any email. "v=spf1 mx -all" = I will only send from mx.domain...

Domain.co.nz was only an example :-) (not a real one with wrong records)

even so.. there are some domains in NZ (and outside NZ) who have incorrect sfp records.

Whew! I have a _heap_ of domains here that have "mx -all" or "a mx -all" for their SPF and these were all originally generated from the spf.pobox.com web based helper. We too have found SPF somewhat useful as further grist for SpamAssassin - not trustable for a variety of reasons, but something that is very susceptible to the sorts of heuristics that SpamAssassin does quite well. Regards, Andrew McMillan. ------------------------------------------------------------------------- Andrew @ Catalyst .Net .NZ Ltd, PO Box 11-053, Manners St, Wellington WEB: http://catalyst.net.nz/ PHYS: Level 2, 150-154 Willis St DDI: +64(4)803-2201 MOB: +64(272)DEBIAN OFFICE: +64(4)499-2267 Expect the worst, it's the least you can do. -------------------------------------------------------------------------

http://www.ietf.org/internet-drafts/draft-iab-dns-choices-00.txt skip straight to Section 4 if you want the punch-line. Abstract This note discusses how to extend the DNS with new data for a new application. DNS extension discussion too often circulate around reuse of the TXT record. This document lists different mechanisms to accomplish the extension to DNS, and comes to the conclusion use of a new RR Type is the best solution.