Postfix allow spam if no SPF is specified

Discussion in 'Tips/Tricks/Mods' started by MaxT, Jul 28, 2017.

  1. MaxT

    MaxT Member

    with postfix the spam is so easy as don't declare any SPF record, and then postfix always says the message is welcome

    I have received spam with four RBL installed and other restrictions. In the headers of the spammers, I have seen the reason was that no SPF is declared in the other side, and then Postfix always accept it!!!

    Code:
    Received-SPF: None (no SPF record) identity=mailfrom; client-ip=74.6.129.193; helo=sonic309-19.consmr.mail.bf2.yahoo.com; [email protected]; [email protected]
    Received: from sonic309-19.consmr.mail.bf2.yahoo.com (sonic309-19.consmr.mail.bf2.yahoo.com [74.6.129.193])
    
    the only solution is modifying /usr/bin/policyd-spf as this page shows:

    https://serverfault.com/questions/818367/postfix-policyd-spf-reject-none
     
  2. Jesse Norell

    Jesse Norell Well-Known Member

    Rejecting email from domains which do not have SPF records created is a terrible idea for any reasonable mail system - anyone doing so should expect to reject valid mail on a regular basis.
     
  3. MaxT

    MaxT Member

    why?. I didn't know it.
    I'm looking inside the logs and in these few days I cannot find any legitimate email rejected, only spammers.

    Can you be more specific?. Do you think are many systems without a SPF implementation which are legitimate senders?

    thanks!
     
  4. Jesse Norell

    Jesse Norell Well-Known Member

    Because most domains don't use SPF, so you will block mail from most domains. That doesn't mean you'll block most mail (most any large mail system, the bulk of email for typical sites, does use SPF), just mail from most domains (many of which don't even use email).

    In a quick search, http://spf-all.com/stats.html says 72.7% of domains (of 140 million they've checked) do NOT have an spf policy.
     
    MaxT likes this.
  5. MaxT

    MaxT Member

    oh...ok. Thanks for the info.
    I will revert the changes
     
  6. orfi

    orfi New Member

    Hi , i just found your post and i want to complete : no legit emailer will miss SPF settings these days ! and if you find one ..tell him to get spf othervise he will be lost in the internet space.
     
  7. Jesse Norell

    Jesse Norell Well-Known Member

    While that may be ideal, it is not at all true, and a misguided approach to sorting legitimate mail from spam. I have seen numerous mentions on the spamassassin list the spammers are not just fairly good at, but generally better than legitimate mail systems with having valid DKIM and SPF.

    In a quick search of my own server's ham/spam corpus I can confirm that; I have a slightly higher percentage of non-spam which does not have any SPF record than spam. And similarly, 88% of my spam passed SPF, but only 43% of my non-spam did. And for the curious, there were similar results with invalid DKIM signatures, of mail with invalid DKIM signatures, the percentage higher for non-spam. This is of course just one server, not representative of email everywhere.

    You're of course welcome to pursue it if you wish, and maybe if enough people did it would push the adoption of SPF more, but for the general admin looking to minimize headaches it'd probably be best to avoid this approach (look into checking DMARC at your mta instead).
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    That's what I see on my own mail servers as well and why it does not makes much sense for me to use SPF / DKIM as hard filter criteria for spam.
     
    MaxT likes this.

Share This Page