This is a discussion on Re: Need a rule written - Can whitelisting be this easy? - SpamAssassin ; 2007/7/12, Meng Weng Wong : > On Jul 12, 2007, at 9:15 AM, Marc Perkel wrote: > > > Need a rule written to take advantage of this trick and this could > > be a major breakthrough in white ...
2007/7/12, Meng Weng Wong
> On Jul 12, 2007, at 9:15 AM, Marc Perkel wrote:
> > Need a rule written to take advantage of this trick and this could
> > be a major breakthrough in white listing.
> > Here's what it needs to do:
> > 1) Take the IP of the connecting host and do an RDNS lookup to get
> > the name.
> > 2) Verify that the name that was looked up resolves to the same IP
> > address.
> > 3) Look up the name in this dns list ===
> > example.com.hostdomain.junkemailfilter.com
> > 4) if it returns 127.0.0.1 - it's ham
> I'd like to suggest that where the domain publishes SPF, we use that;
> where it doesn't, we use your algorithm.
> I recently coded up a very similar approach; I posted about it on the
> SPF and Karmasphere mailing lists. Here is the original message:
> On Jul 12, 2007, at 6:53 PM, Meng Weng Wong wrote:
> > Cross-posted to the SPF and Karmasphere lists ...
> > On Jul 12, 2007, at 12:45 PM, Meng Weng Wong wrote:
> >> Those of you who have been following the authentication movement
> >> will remember that reputation was always part of the plan.
> >> It is the job of SPF/DKIM/etc to provide authentication.
> >> Karmasphere's job is to provide reputation.
> > I have had a huge grin on my face for the last half an hour.
> > Why?
> > This afternoon I finally got up to speed with SpamAssassin's meta-
> > rules.
> > and I just now got this report in my headers:
> > * -0.0 SPF_PASS SPF: sender matches SPF record
> > * -0.0 KS_REPUTABLE_DOMAIN_DNS RBL: Envelope sender in mengwong
> > whitelist feedset
> > * -123 AUTH_ACCOUNTABLE Envelope sender is both authenticated and
> > reputable
> > What does it mean? An SPF pass, on its own, means little; an RHSWL
> > match, on its own, means little; but together, they mean a lot.
> > To obtain that score of -123, the message has to pass SPF and the
> > envelope sender domain has to be whitelisted at the
> > "mengwong.manywl-v1.dnswl.karmasphere.com" RHSWL.
> > "mengwong.manywl-v1" is, in turn, a Karmasphere feedset that
> > contains multiple other whitelists, including the dnswl.org's
> > sources, ISIPP, Truste, and VeriSign's list of SSL certified domains.
> > More feeds are being added to that feedset as we discover new
> > sources of domain whitelists.
> > I am tremendously pleased. For me, this is the culmination of
> > several years of work: SPF offers authentication, and Karmasphere
> > offers reputation. Together, they fight spam!
> > Here's the snippet from my local.cf that does this:
> > # karmasphere domain-based whitelist
> > header KS_REPUTABLE_DOMAIN_DNS eval:check_rbl_envfrom
> > ('mengwong.manywl-v1', 'mengwong.manywl-v1.dnswl.karmasphere.com.')
> > describe KS_REPUTABLE_DOMAIN_DNS Envelope sender in mengwong
> > whitelist feedset
> > tflags KS_REPUTABLE_DOMAIN_DNS net
> > score KS_REPUTABLE_DOMAIN_DNS -0.01
> > meta AUTH_ACCOUNTABLE ((SPF_PASS || DKIM_VERIFIED ||
> > DK_VERIFIED) && KS_REPUTABLE_DOMAIN_DNS)
> > describe AUTH_ACCOUNTABLE Envelope sender is both authenticated
> > and reputable
> > tflags AUTH_ACCOUNTABLE userconf nice noautolearn
> > score AUTH_ACCOUNTABLE -123
> > I'm very happy!
> > (At this time, while Karmasphere is in beta, querying that
> > whitelist requires IP registration; it will not work if you do not
> > have an account. After we're out of beta that requirement will be
> > dropped.)
> > Off to rummage through the fridge in search of champagne...
Well, if my two cents worth anything, here in Argentina most of the
"big fishes" in the internet mail game (telephone and cellular
companies, internet providers, banks, etc) either don't publish any
SPF records at all, or they send their mail from hosts not listed as
MX, or they don't have a proper setup of their RDNS... It makes a
living hell to whitelist some of them, since they switch mail servers
as much as I change my socks (well, maybe I change my socks a little
more often than that...).
Jokes apart, on the other hand, recently we are seeing some
"legitimate" email publilshing enterprises, with proper SPF and MX
setups. Examples of this are 2marketed.com.ar, emailservers.com.ar,
mailservice.com.ar and some others.
Guess that only you could be sure of the hosts you control, as was
said before in this discussion...
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...