Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How Do You Handle SPF For Spam Filtering?

Posted by samzenpus on from the false-positive dept.

An anonymous reader writes "Our organization had had a decent SPF record of our own for a long time. Recently, we decided to try using SPF for filtering inbound mail. On the up side, a lot of bad mail was being caught. On the down side, it seems like there is always a 'very important' message being caught in the filter because the sender has failed to consider all mail sources in writing their record. At first, I tried to assist sending parties with correcting their records out of hope that it was isolated. This quickly started to consume far too much time. I'm learning that many have set up inaccurate but syntactically valid SPF records and forgotten about them, which is probably the worst outcome for SPF as a standard. Are you using SPF? How are you handling false positives caused by inaccurate SPF records?"

2 of 187 comments (clear)

  1. Spamassassin by icebike · · Score: 5, Interesting

    Spamassassin handles SPF, reasonably intelligently, that is, not trusting it completely, not giving it more weight than it deserves.
    Hanging your spam fighting hat on any single hook is problematic. and SA uses a wealth of tools with constantly updating itself via
    scripts. Its been largely trouble free, and we have it set up so that it will learn false positives and false negatives when users
    move these to the corresponding folders.

    I've been well served by Spamassassin for some time now, it runs quietly
    on our mail server. SA does not block mail. It flags it. Our mail server will evaluate these flags and trash outright the most
    egregious spam, but we have the limits set low enough such that we will allow the questionable things through.

    We error on the side of caution, but we still dump a lot of mail right after SA flags it. (Our business can do that, your business
    may not be able to do that.)

    --
    Sig Battery depleted. Reverting to safe mode.
  2. DMARC by MillerHighLife21 · · Score: 4, Interesting

    That's what DMARC is for. It let's companies specify exactly how to handle their SPF (and DKIM) rules based on how thoroughly they have covered their bases. The company I work for deals with a ton of phishing against our user base and implemented SPF, DKIM, and DMARC with great success.

    Google has excellent documentation on the protocol.

    --
    "Don't teach a man to fish, feed yourself. He's a grown man. Fishing's not that hard." - Ron Swanson