Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » SPF and Caller ID
  •  
bperkins

Messages: 359
Karma: 0
Send a private message to this user
I was wondering how others are using the SPF and Caller ID capabilities in KMS.

I have been logging these for the last several days and see that both would cut down on my spam a lot more if I were to reject these messages. However, I do see some false positives that would reject legitimate messages. I do realize this would be a problem on the senders end, but I still don't want to reject legit email.

I'm thinking of just having it mark the messages as spam, but I would love to reject most of these. This would require me to monitor what is getting rejected, so I could add the false positives to the whitelist.

Just curious how others are using these features.....

Thanks,
BP
  •  
Kerio_jthomas

Messages: 511
Karma: 1
Send a private message to this user
Brian, for failed SPF and CallerID you can add to the spam score. So it's a nice way if you don't trust it 100%.

Joshua Thomas
Technical Support Manager
2350 Mission College Blvd, Suite 400
Santa Clara, CA 95054
Phone: (408) 496-4500
Fax: (408) 496-6902
http://www.kerio.com/support.html

  •  
bperkins

Messages: 359
Karma: 0
Send a private message to this user
Yep, that's probably what I'll end up doing. I was just wondering what others were doing.

Thanks Josh!
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
I don't know if I'd call an SPF failure a false positive if it blocks legit mail. It does what it's supposed to and rejects mail from servers the admin didn't specify in the SPF record. If they make changes to their mail config, it's their responsibility to update the SPF record.

That being said... I block everything that fails SPF. If it turns out to be a legit message, it usually won't bounce more than once or twice. It only takes a few minutes to update an SPF record, and most admins rush to do so since it was most likely an oversight on their part that lead to the mail being bounced in the first place. The only lag then is the DNS replication time.

Caller-ID is a little different since they can specify a record as a testing record. Most records I've seen have the testing flag set to true. I could see where that would lead to false positives since the admins who set them up are still in the process of testing. As long as you don't set the option to 'Apply this policy to also testing Caller ID records' you should be ok.

A word of warning about Caller ID though... it breaks the Blackberry "work-around" posted in the KB. It tells the user to change their from address, but Caller ID will use that from address and validate against your own Caller ID record.

Scott
  •  
bperkins

Messages: 359
Karma: 0
Send a private message to this user
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
sedell wrote on Mon, 10 April 2006 19:53


Caller-ID is a little different since they can specify a record as a testing record. Most records I've seen have the testing flag set to true. I could see where that would lead to false positives since the admins who set them up are still in the process of testing. As long as you don't set the option to 'Apply this policy to also testing Caller ID records' you should be ok.



SPF has similar "testing" option - SoftFail (~all). Then the violations of SPF will not be rejected and will be accepted by the server.
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
True, but the Caller ID option to apply to testing records rejects messages even if it's a testing record. There isn't an option in SPF to reject SoftFail messages.

Scott
  •  
Kerio_jthomas

Messages: 511
Karma: 1
Send a private message to this user
sedell wrote on Mon, 10 April 2006 12:47

There isn't an option in SPF to reject SoftFail messages.


I've had a bug open about this for some time =)


[Updated on: Tue, 11 April 2006 17:12]


Joshua Thomas
Technical Support Manager
2350 Mission College Blvd, Suite 400
Santa Clara, CA 95054
Phone: (408) 496-4500
Fax: (408) 496-6902
http://www.kerio.com/support.html

  •  
DSARick

Messages: 46
Karma: 0
Send a private message to this user
Quote:

That being said... I block everything that fails SPF. If it turns out to be a legit message, it usually won't bounce more than once or twice. It only takes a few minutes to update an SPF record, and most admins rush to do so since it was most likely an oversight on their part that lead to the mail being bounced in the first place. The only lag then is the DNS replication time.


Let me run this scenario by you.

You are a small company that uses DSL to connect your business to the internet. You have 4 IP's with one dedicated to your mail server. The company website is hosted by an outside source. You want to setup SPF so you don't get bounced by companies like yours who refuse to accept mail from non SPF compliant servers. So you setup your internal DNS servers, but realize that's not going to work. So you call your web hosting company and they tell you they won't add a SPF record to their DNS servers. What does that company do now besides switch hosting companies?
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Failing SPF requires that there is an SPF record. A message will only be rejected if there is an SPF record and the IP address the message is being delivered from isn't contained in that record. In cases where there is no SPF record, the validation isn't done. That's why I say there isn't really such a thing as a false positive. If you don't publish an SPF record, you don't fail the check and don't get rejected.

Scott
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Indeed. To add to sedels fine explenmation:
Basicly, the idea is that if I create a SPF record for my domain okura.nl, no one else can send okura.nl messages (at least not to servers that check SPF). Basicly, I'm making spoofing my adres somewhat harder.

This has, as sedell says, no consequences for those that do not setup SPF records, other than that other people could be sending mail in 'your name'.
Previous Topic: Keeping Spam in the Inbox
Next Topic: Problems with spam
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Nov 19 17:20:55 CET 2017

Total time taken to generate the page: 0.00535 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.