[Greylist-users] Skipping greylisting based on SPF?

[Eric S]

Valor Romá wrote:

>If my experience can help, I have been using this approach for time
>ago. First, SPF check. If SPF PASS, no other checks done, mail passes
>to mailbox. If SPF FAIL, mail is rejected. If other result, then
>greylist, DNSBL, etc. etc.
>
>In all this time I haven't detected just a single spam message than
>came from a SPF PASS check. This solution works very well for me.
>
>Most of the days, I don't even detect one single spam coming to my
>system. Some days I just see 1 spam coming through. And that spam
>coming through has passed greylist after retrying 1400 seconds and
>also a sender address check. But SPF PASS seems 99.999% reliable for
>me.
>

I've seen one spam run so far from a spammer that used SPF records.  The 
matching part of the SPF record was a /1 network address, which got 
rejected by a different Milter before my greylisting code could vote.  
When the perl SPF module added code to tell what part of an SPF record 
was matched, I added a few tags so that later spam filtering could 
examine it.  An MX or A/32 is considered trusted enough to skip 
greylisting.  Anything that matches an A/24 or smaller is considered OK, 
and also skips greylisting.  Anything that matches a /16 through /23 is 
considered suspect, and doesn't skip greylisting.  Anything in the /8 to 
/15 range is rejected unless it comes from the actual IP address range 
for the /8s.  Anything bigger than a /8 is reject on sight.  If the 
match was based on the rdns, it's automatically suspect and doesn't skip 
greylisting.

At some point, the spammers may adapt, at which point I tighten this 
down again and make their jobs a bit harder.  SPF is a good thing, even 
if by itself it doesn't reduce UBE/UCE.