Re: [Asrg] Some statistics on SPF and spam

Dave Warren <lists@hireahit.com> Tue, 12 February 2013 21:41 UTC

Return-Path: <prvs=1755669d32=lists@hireahit.com>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6BEA21F8CA5 for <asrg@ietfa.amsl.com>; Tue, 12 Feb 2013 13:41:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BWOEEKq3SRUS for <asrg@ietfa.amsl.com>; Tue, 12 Feb 2013 13:41:48 -0800 (PST)
Received: from vinny.hireahit.com (vinny.hireahit.com [72.51.42.137]) by ietfa.amsl.com (Postfix) with ESMTP id D31EF21F8C9F for <asrg@irtf.org>; Tue, 12 Feb 2013 13:41:47 -0800 (PST)
Received: from [172.24.0.107] by hireahit.com (vinny.hireahit.com) (SecurityGateway 2.1.0a) with SMTP id SG003342989.MSG for <asrg@irtf.org>; Tue, 12 Feb 2013 13:41:45 -0800
Message-ID: <511AB715.6000301@hireahit.com>
Date: Tue, 12 Feb 2013 13:41:41 -0800
From: Dave Warren <lists@hireahit.com>
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:19.0) Gecko/20130117 Thunderbird/19.0
MIME-Version: 1.0
To: asrg@irtf.org
References: <0D79787962F6AE4B84B2CC41FC957D0B20BBE549@abn-exch1b.green.sophos> <20130212195549.GB26133@chaosreigns.com>
In-Reply-To: <20130212195549.GB26133@chaosreigns.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-SGOP-RefID: fgs=0 (_st=1 _vt=0 _iwf=0)
Subject: Re: [Asrg] Some statistics on SPF and spam
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2013 21:41:48 -0000

On 2/12/2013 11:55, darxus@chaosreigns.com wrote:
> I didn't see the discussion where you promised to produce this, but I think
> the problem is how much non-spam also fails SPF.
>
>  From ruleqa.spamassassin.org/?daterev=20130211-r1444680-n&rule=%2Fspf :
>
>    MSECS    SPAM%     HAM%     S/O    RANK   SCORE  NAME   WHO/AGE
>        0   0.0236   0.9635   0.024    0.15    0.00  SPF_FAIL
>        0   0.0383   0.3059   0.111    0.27    0.00  SPF_SOFTFAIL
>
> Way more non-spam is failing than spam.

If you just use SPF for positive scoring and never for negative scoring 
or blocking then that's okay.

I'm also note suggesting that SPF or DKIM or similar alone is sufficient 
for positive scoring, but when combined with a local whitelist, I can 
aggressively whitelist companies that we do business with without having 
to worry about a spammer spoofing a whitelisted major corporation.

When the company starts sending mail from a non-listed IP, they don't 
get the benefit of whitelisting, but nothing else "breaks", so there's 
no harm done.

> Catching spam is easy.  Doing so without excessive false positives is
> what's hard.

Amen.

I guarantee you that I can block every single spam, 100% of the time, no 
questions asked, as long as one of the unasked questions is the false 
positive percentage.

-- 
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren