Milter-greylist

24 \u0430\u0432\u0433\u0443\u0441\u0442\u0430 2016�\u0433. 16:49:01 CEST, "Christian P�lissier Christian.Pelissier@... [milter-greylist]" <milter-greylist@yahoogroups.com> \u043f\u0438\u0448\u0435\u0442:
>Le mercredi 24 ao�t 2016 � 15:37 +0200, manu@...
>[milter-greylist] a �crit :
>>   
>> Christian P�lissier Christian.Pelissier@... [milter-greylist]
>> <milter-greylist@yahoogroups.com> wrote:
>> 
>> > I think a SPF record with ip4:0.0.0.0/0 should be considered to be
>> > the opposite what SPF is for and a such misappropriation should be
>> > treated on the contrary as a strong indication that the sender is a
>> > spammer and should conduct to a spf=fail result.
>> 
>> This is why you have the spf self clause: it matches if your own IP
>is
>> SPF-compliant, which suggests the sender's mask is broad.
>
>So if my IP matches the SPF of a sender
>either my IP is in this SPF sender list
>or the SPF IP range look like ip4=0.0.0.0/0 or a=fr ...
>So I think I have to add 
>
>racl greylist spf self delay 3d
>or
>racl blacklist spf self msg "your SPF record is open"
>
>
>My other question was about the log "DKIM-Compliant" when I have no 
>DKIM-Signature: in the headers
>
>Aug 24 16:38:40 emix2 milter-greylist: u7OEcYxK005972: skipping
>greylist
>because address 194.250.121.16 matches MX record, sender is
>DKIM-compliant, tarpit is requested,
>
> 
>
>
>
>
>> -- 
>> Emmanuel Dreyfus
>> http://hcpnet.free.fr/pubz
>> manu@...
>> 
>> 
>> 
>> 

I wouldn't be too harsh on too-permissive spfs. Just add more delay (e.g. 8hrs) so by the time it expires they might be in a dnsbl. It is different with negatives (source IP not in the defined and allowed SPF pattern) which can be blacklisted quickly.

Many orgs do publish explicit IP ranges for their relays or even workstations, and then add 'all' just in case, at least while they are testing (and corporate IT may take years to move a bit).

Jim
--
Typos courtesy of K-9 Mail on my Samsung Android